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1 Executive Summary 

1.1 Project Summary 

Open Technology Fund (OTF) engaged iSEC Partners for work with the Tor Project to evaluate Tor 
Browser Bundle. After discussions with Mike Perry at Tor Project, it was determined that the best use 
of time would be to conduct a more research- oriented engagement, looking at how exploitation may 
be made more difficult on Tor Browser Bundle, aiming to provide recommendations for an upcoming 
"Security Slider" feature. 1 

Note: Tor Browser Bundle is based on the Firefox browser. In this document, iSEC has used "Tor 
Browser Bundle" when it is speaking specifically about the browser distributed by the Tor Project, and 
"Firefox" when speaking about features that apply to both distributions. 

The Security Slider will aim to disable certain features of Tor Browser Bundle at higher levels of security. 
To this end, iSEC was granted access to many private bugs on the Mozilla bug tracking software to 
catalog past vulnerabilities of Firefox by type and component. During this process, iSEC also analyzed 
several public and private exploits against Tor Browser Bundle and Firefox to investigate if there were 
any significant commonalities that could guide hardening recommendations. 

Firefox has a robust set of preferences for controlling features through the about :config interface. 
Several preferences relevant for the security slider are enumerated later in this report. While many 
of the features Tor Project may wish to disable or control are exposed through these settings, many 
are not. Therefore, iSEC examined different approaches to add these settings to the codebase, and 
developed patches in certain instances. 

iSEC also looked at more general hardening options that can be made to Tor Browser Bundle. Compiler 
settings that include strict memory checks are being explored by the Tor Project already, and include 
building Tor Browser Bundle with Address Sanitizer 2 - two items that can be added to this list are the 
Windows setting EnableTerminationOnHeapCorruption and an experimental feature in GCC named 
Virtual Table Verification. Additionally, iSEC confirmed that Address Space Layout Randomization, a 
best-practice feature for making exploitation more difficult, is currently omitted on Windows and Mac 
builds. 

Another general hardening option iSEC investigated was replacing Tor Browser Bundle's memory al- 
locator, jemalloc, with a hardened allocator. Parti tionAlloc, 3 developed by the Chrome Security team 
appears to be a good base for improving security through its feature-set. 

Several other tasks were performed, including suggesting ways to detect regressions in exposed DOM 
objects that may aid in user fingerprinting, and developing patches to enable assertions in specific 
critical components. 



'https : //trac . tor project .org/projects/tor/ticket/9387 
2 https : //trac .tor project .org/projects/tor/ticket/10599 

3 https : //chromium. googlesou rce . com/chromium/blink/+/master/Source/wtf /PartitionAlloc . h 
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1.2 Recommendations Summary 

Browsers have evolved in complexity tremendously over the past decade, and the Tor Project is in a very 
difficult situation with regards to it. Their ultimate goals of preventing fingerprintability and proxy 
leaks are not universally shared by Mozilla and the Tor Project development team is much smaller. 
The aggressive release of Firefox versions is offset by their Extended Support Releases, but this still 
necessitates a large evaluation of new features and patch-reconfiguring every 10 months. Furthermore, 
the Tor Project is in the process of developing significant features on top of Tor Browser Bundle - the 
new Tor Launcher, automatic updates, and the Security Slider. 

In short, the road Tor Project is embarking on will be difficult to continue while maintaining high 
security standards without considerable cooperation with Mozilla, a sustainable development group, 
and periodic involvement from specialized individuals. 

Short Term 

For the purpose of this research document, short-term recommendations are meant to be undertaken 
on the 1-6 month timeline. While all recommendations in this report are longer term in relation to 
typical vulnerability remediation, this area is a summary of strategic recommendations that should be 
taken in the short term to guide development efforts and protect users. 

Re-enable Address Space Layout Randomization on Windows and Mac builds. Currently Tor 
Browser Bundle builds for Windows or Mac do not have ASLR enabled universally. ASLR is a best- 
practice for browsers, and omitting it makes it significantly easier for attackers to bypass the (currently 
enabled) Data Execution Prevention settings. In addition to re-enabling ASLR, develop regression tests 
that ensure that ASLR is enabled on all future builds. 

Participate in the "Pwn20wn" Contest. Speak with the sponsors of the Pwn20wn and Pwnium 
contests, and see if they would be willing to allow the Tor Project to participate. Because Tor Browser 
Bundle is based on Firefox, change the target by attempting to standardize on a 'Medium' Security 
Level, which replaces the memory allocator with PartitionAlloc, disables significant functionality (such 
as Web Fonts and SVG) but leaves JavaScript enabled. Stabilize this selection in the Fall, several months 
before the contest, and change the goal from 'system compromise' to demonstrating a proxy bypass. 
(This will have the added benefit of allowing someone to claim a prize by demonstrating a bypass that 
does not achieve exploitation.) Review the exploitation techniques used, and depending on outcome, 
consider raising the difficulty to a 'High' security slider setting for the following year. 
Note that this recommendation is a short-term recommendation primarily because of the time of year - if 
Tor Project moved quickly on this, it would potentially be possible to participate in 2015 contest coming 
up. 
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Test Windows Firefox Exploits with Microsoft EMET. The Enhanced Mitigation Experience Toolkit 
(EMET), 4 currently at version 5.0, is a Microsoft-provided application that adds additional exploit 
mitigations to try and detect and defeat certain exploitation techniques. It is not perfect, but it is 
currently unknown if it would have prevented any actual exploit attempts on Firefox. Depending on 
its usefulness, it may be worth recommending to Windows users. 

Note: This may only be possible for Mozilla to do, unless the exploit examples are provided to the Tor 
Project. 



Long Term 

For the purpose of this research document, long-term recommendations are meant to be undertaken 
in the 6 month and beyond timeline. These may include significant changes to the architecture or 
code and may therefore require in-depth planning, complex testing, significant development time, or 
changes to the user experience that require retraining. 

Note: Many of the recommendations that iSEC would ordinarily make, such as developing an au- 
tomatic and secure update mechanism, are already being developed by the Tor Project. These rec- 
ommendations are omitted in the name of redundancy. Similarly, many recommendations, such as 
process sandboxing, are large and ambitious and probably outside the Tor Project's current capability. 

Closely follow the Chrome Security team. The Chrome Security team has been a source of innova- 
tion in the browser security space. Tor Browser Bundle is based on Firefox and thus inherits progress 
made by Mozilla automatically. While improvements in Chrome may not be appropriate for Firefox, 
they could be integrated in Tor Browser Bundle. In a best case scenario, members of the Chrome 
Security team may be allowed to work with the Tor Project on these changes. 

Replace the jemalloc allocator with ctmalloc and partition object allocation types. PartitionAl- 
loc, used by ctmalloc, removes in-line heap metadata and when used with separate partitions isolates 
object types. When used to its full capabilities, it should be considerably more hardened than jemalloc. 
This should make exploiting common heap corruption vulnerabilities more difficult. 

Investigate strategies to harden against Use After Free (UAF) exploits. A significant number of 
exploits and vulnerabilities that iSEC reviewed are Use After Free vulnerabilities. More recent versions 
of GCC seem to have some support for the 'final' keyword and Virtual Table Verification, which are two 
possible mitigations. Another area of investigation is using the partitioning features of PartitionAlloc 
to separate DOM objects from user- controlled buffers like strings and arrays. Future research efforts 
could be conducted by the Tor Project, affiliated or unaffiliated groups, to make improvements in this 
area. 

Develop a Firefox ESR migration process. Upgrading between Firefox ESR versions introduces a 
considerable amount of features being added to the browser, and additional preferences being en- 
abled that previously were off by default. Using the techniques described in section 3.9 on page 26 
and section 3.10 on page 26, develop a plan for migrating between ESR releases that includes a wild 
page that individuals can contribute to for tracking added functionality to Firefox. 



4 https : //connect .microsoft . com/directory/? keyword s= EMET 
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2 Engagement Structure 

2.1 Internal and External Teams 

The iSEC team has the following primary members: 

• Andy Grant — Principal Security Engineer 
agrant@isecpartners.com 

• Tom Ritter — Principal Security Engineer & Account Manager 
tritter@isecpartners.com 

The Tor Project team has the following primary members: 

• Mike Perry — Tor Project 
mikeperry@torproject.org 
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2.2 Project Goals and Scope 

The goal of this engagement was to determine what techniques could be used to harden Tor Browser 
Bundle against attacks in default and user-selected higher security modes. This included: 

• Reviewing Tor Browser Bundle's use of compiler and OS-specific hardening options 

• Investigating enabling debug assertions in production releases 

• Reviewing past exploitable bugs in Firefox to determine their type, origin, and what components 
(if any) could have been disabled to prevent exploitation 

• Identify and enumerate audio and video parsing libraries in use by Firefox 

• Identifying and reviewing protocol handlers enabled in Tor Browser Bundle 

• Review about : conf ig settings and components in Firefox that are unneeded or represent sig- 
nificant sections of code that can be disabled 
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3 Detailed Research Findings 

3.1 Bug Classification 

iSEC begun classifying the private bugs that related to the -70 CVEs Firefox has had since Firefox 
24. 5 The issue type and affected component is primarily determined from Mozilla's classification and 
comments on the issue, an explanation of the terms used can be found in Appendix A on page 29, and 
components with only a single issue are omitted. 



Component 




Vulnerability Type 




JS Core 




T TAT? 




Ion 




Undetermined 


yj 


ULJivi core 


Id 


Assert 


Z5 


Networking 


D 


T TT TTTVvT 
UU1M 


fc> 


WebRTC 


5 


Null Deref 


3 


WebGL 


5 


Heap Overwrite 


3 


Undetermined 


5 


Stack Buffer Overwrite 


2 


asm.js 


4 


Integer Overflow 


2 


ImageLib 


4 


Data Leak 


2 


Web Audio 


2 


Type Confusion 




SVG 


2 


Stack Overflow 




IndexDB 


2 


Memory Leak 




Image 


2 


Heap Overread & Overwrite 




Editor 


2 


Heap Overread 




Dom Core 


2 


Double Free 




DOM Sore 


2 






Canvas 2D 


2 






Audio 


2 







Specifically, iSEC reviewed the bugs linked to by the Mozilla Foundation Software Advisories from Sept 17, 2013 to April 29, 
2014. 
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iSEC also began to review public bugs suggested by Mozilla, using a specific query. 6 These issues are 
largely from the mid-2013 timeframe, and are skewed towards the Web Audio category, as it seems to 
have had a large category change. This second table does not represent a complete view of data from 
a particular time period. 



Component 




Vulnerability Type 




Web Audio 


18 


UAF 


14 


JS Core 


5 


Heap Overwrite 


8 


SVG 


3 


Heap Overread 


4 


DOM Core 


2 


Assert 


4 


WebGL 


1 


Stack Pointer Corruption 


1 


Persona/Identity 


1 


Stack Buffer Overwrite 


1 


file:// URL 


1 


Undetermined 


1 


IndexDB 


1 






ImageLib 


1 







3.2 Exploit Analysis 

iSEC analyzed four exploits for Firefox and Tor Browser Bundle that were discovered in the wild, 
documented publicly, or provided by Mozilla. Exploit analysis can indicate which techniques real- 
world attackers use to compromise browsers, and guides exploit mitigations. HP's Pwn20wn, 7 Google's 
Pwnium, 8 and Microsoft's Heart of Blue Gold 9 programs are all designed to understand how real-world 
exploits and exploit mitigations work, and how software can be hardened in effective ways. 

Tor Browser Bundle shares a significant amount of attack surface with Firefox. However, currently 
there is a significant difference in threat model - it is absolutely critical for Tor Browser Bundle not to 
expose any proxy leaks that would send traffic outside the configured SOCKs proxy. In the future, as 
the Security Slider is developed and the memory allocator potentially replaced, Tor Browser Bundle 
will diverge even further from Firefox. iSEC recommends working with third parties to attempt to 
participate in these contests to gather intelligence on how well Tor Browser Bundle meets its specific 
goals and how attackers can circumvent hardening options Tor Browser Bundle incorporates. 

It is likely that exploits against Firefox will continue to guide decision-making for Tor Browser Bundle 
and the Security Slider, analyzing these exploits now and in the future will continue to be important. 

August, 2013 Freedom Hosting Exploit 

The Metasploit team performed an analysis of the exploit, 10 which says it uses an information leak to 
craft a ROP chain specifically for Windows 7 using ntdll, and transfers execution into that chain using 

6 https : // bugz ilia .mozilla .org/ bugli st . cgi? j_top=0R&f l=keywords&ol=anywordssubstr&resolution 

= &resolution=FIXED&classif ication=Client%20Software&classif ic at ion=Components&o2=any words 

substr&query_f ormat=advanced&f 2=status_whiteboardSvl=sec- high%20sec- critic a l&v2=sg%3Ahigh%20 
sg%3Acritical&list_id=10101009 

7 http : //www. pwn2own . com/ 

8 http : //blog. chromium.org/2014/01/show-off -your- security- skills . html 

9 http : //blogs . technet . com/b/bluehat/archive/2013/06/19/heart-of - blue -gold- announcing- new- 
bounty- programs . aspx 

10 https : //community . rapid7. com/ community /met a sploit/blog/2013/08/07/heres -that- f bi-f iref ox- 
exploit -for- you -eve- 2013 -1690 
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a stack pivot also in ntdll. The ROP chain calls ntdll ! ZwProtectVirtualMemory to disable DEP and 
then moves into the exploit payload. 

Good analyses of the exploit's payload were conducted by Gareth Owen 11 and Vlad Tsyrklevich. 12 The 
payload has a few interesting points. Firstly, it uses a function resolver included in Metasploit 13 to 
identify where functions it wishes to call are in memory. Secondly, it loads two libraries iphlpapi . dll 
and ws2_32.dll - the second library contains a connect() call the payload uses to send a request, 
the first contains the SendARPQ function the payload uses to determine the system's MAC address. 
The running instance of Tor Browser Bundle already has functions that can be used to issue requests 
(eliminating the need for ws2_32 .dll). It is unknown if there is an existing function that could obtain 
the system's MAC address, but it seems likely. 

VUPEN 2014 Pwn20wn 

This analysis is based on VUPEN's writeup at the following URL: 

http://www. vupen. com/ bLog/ 20140520. Advanced_ExpLoi.tation_Fi.refox_UaF_Pwn2Own_2014.php 

In the Pwn20wn content in 2014, VUPEN exploited a Use After Free vulnerability that resulted by 
Firefox being placed into a 'memory-pressure' state. The object itself was not a DOM object or other 
object created by the webpage, but rather a "BumpChunk" object that is created by the allocator for 
managing memory. 

After the BumpChunk is freed, VUPEN creates an ArrayBuffer in its place, which is manipulated to 
gain read and write access to the entire process address space. With read access, the exploit can defeat 
ASLR, and build a ROP chain using mozjs.dll. 

There are a few interesting components of the exploit. They exploited the memory-pressure state of 
Firefox, but not for any unique properties of that state but rather because entering that state caused 
a Use After Free itself. Through clever manipulation of the ArrayBuffer and View, VUPEN was able 
to create an ArrayBuffer with length 0x01000000, which is large enough to edit a second ArrayBuffer 
with length OxFFFFFFFF, which in turn can read and write to any location in the process address space. 

Private Exploits 

iSEC also analyzed exploits that were submitted privately to Mozilla. Interesting characteristics about 
these exploits were: 

• Several exploits use ArrayBuffers with invalid lengths, and one used a technique very similar to 
VUPEN's, creating an ArrayBuffer and then a view with an invalid length that was used to write 
into arbitrary memory. 

• Another exploit used a vulnerability that allowed the author to execute JavaScript as the system 
principal (in the Firefox use of the phrase, not a root or SYSTEM user account) achieving arbitrary 
code execution. Most notably, this exploit did not use any memory corruption to achieve code 
execution. 



u http : //ghowen . me/fbi- tor- malware- analysis/ 
12 http : //tsyrklevich . net/tbb_payload .txt 

13 https : //git hub. com/ iagox86/nbtool/blob/ma st er/ samples/ shellcode-win32/ bloc k_api . asm 
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3.3 Security Slider Thoughts 

This section contains individual components of Firefox that iSEC has researched either through ex- 
isting preference settings or bug categories. iSEC's recommendations are based around the following 
Security Levels. 

• None - TBB is configured in its most permissive state 

• Low - High-Risk components are disabled, unless they are used by a large percentage of websites 

• Medium - High-Risk components are disabled unless they are used by an overwhelming majority 
of websites. Medium-Risk components are disabled, unless they are used by a large percentage 
of websites. 

• High - JavaScript is disabled. Many if not most components are disabled in the name of reducing 
attack surface. 

media.webaudio.enabled 

The Web Audio feature is disabled in Firefox 24 and Tor Browser Bundle. It was enabled in Firefox 
25 14 and is now on by default. After reviewing security- relevant bugs in Firefox, a significant number 
of potential vulnerabilities were found in this component. 

Recommendation: Disable at the Low or Medium security level. 
media.audio_data. enabled 

The Audio API was an experimental API superseded by the Web Audio API. 15 In Firefox 24 and Tor 
Browser Bundle it was enabled, but is disabled in Firefox 28. 

Recommendation: Disable at the Low security level, 
layout. css.flexbox.enabled 

This preference has been true by default since Firefox 22, and the preference itself was removed in 
Firefox 28. 16 iSEC does not have a specific recommendation for this setting, but wanted to note that 
the revision that removes the preference is at https://hg.mozilla.org/mozilla-central/rev/la09d295 
aalc, and is simple enough that it may be re-added, or potentially copied to other styles. 

gfx.downloadable_fonts. enabled 

Web Fonts in .ttf, .otf, and .woff formats can be downloaded, parsed, and used by Tor Browser Bundle 
by default. Mozilla conducted a Security Review of downloadable fonts, 17 and their concern was the 
same as ours: that the font parsing subsystems could have vulnerabilities that an attacker could exploit. 
To mitigate this threat, Firefox integrates the OpenType Sanitizer. 18 

14 https: //developer. mozilla. org/en-US/Firefox/Releases/25#Interf aces. 2FAPIS.2FD0M 

15 https:/ /developer. mozilla.org/en- US/doc s/Int rod ucing_the_Audio_API_Extension\protect\ 
char"0024\relaxhi story 

16 https: //developer. mozilla.org/en-US/docs/Web/Guide/CSS/Flexible_boxes 
"https : //wiki . mozilla . org/Firef ox3 . l/Downloadable_Fonts_Security_Review 
18 https : //code . google . com/ p/ots/ 
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The OTS Sanitizer appears to be effective at preventing exploitable bugs. No software is perfect how- 
ever, and there is a lot of concern around Font Parsing on Windows. 19 

Recommendation: Disable at the High security level. Ordinarily, iSEC would recommend disabling 
these at the Low or Medium security level, but the Tor Browser Bundle team has indicated that they 
wish to prefer remote fonts over local fonts for user fingerprinting reasons. 

gfx.font_rendering.graphite. enabled 

The Graphite Font Shaping feature 20 is functionality used to more accurately render complex scripts in 
South-East Asian dialects. The feature has been enabled by default since approximately Firefox version 
12. 

At least one security-relevant bug in the last year (836225) was found in graphite parsing, as well as 
three in the last two years (752662, 753230, and 753623 which is CVE -2012 -3971). iSEC believes this is 
indicative of other issues present in the code base. The library is not maintained by Mozilla, and while 
Mozilla indicates they fuzz it, it is not clear how often with respect to new releases, or how thoroughly. 
It was subject to a security review by Mozilla. 21 

Recommendation: For South-East Asian or other relevant locales, disable at the Medium or High 
security level. For other locales, disable at the Low security level. 

gfx.font_rendering.opentype_svg.enabled 

SVG in OpenType fonts is a featured designed to provide support for using SVG inside font files to 
create colored, animated, or more expressive glyphs in fonts. 22 In Firefox, this feature was disabled 
in ESR 24, and is enabled in (at least) Firefox 29. iSEC was unable to find any security review of this 
feature, or security-relevant bugs. iSEC does not expect high usage of this feature on the Internet, 
as it does not appear to be supported in any other browsers - a competing solution, SVG fonts 23 is 
implemented in Chrome, Safari, and Opera. 

Recommendation: Disable at the Low security level, 
media.*. enabled 

As explained in section 3.7 on page 23, there are several codecs used or enabled in Tor Browser Bundle, 
and each have seen security vulnerabilities at the Critical level and below. iSEC was unable to make a 
determiniation if any formats were used more or less commonly on the web that could guide a decision 
to disable one or more of these features at the Low security level. 

Recommendation: Disable at the Medium security level. 

19 http : //threat post . com/of -t ruetype- font -vulnerabilities -and -the -windows- kernel/ 101263 
20 https : //wiki .mozilla .org/ Features /Platf orm/Graphite_f ont_shaping, http: //scripts . sil .org/ 
cms/ scripts/ page. php?site_id=projects&item_id=graphite_f ontdemo 
21 https : //wiki . mozilla . org/Secu rity /Reviews/ Firef ox/Graphite 

22 More information can be found at http://robert.ocallahan.org/2013/02/svg-in-opentype-new- 
approach-to-svg.html, http://robert.ocallahan.org/2013/08/svg-in-opentype-progress-update. 
html, https : //wiki .mozilla .org/SVGOpenTypeFonts, and https : // bugz ilia .mozilla .org/ show_bug. cgi? 
id=719286 

23 http : //caniuse. com/ svg- fonts 
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dom.indexeddb.enabled 

The IndexedDB feature is currently disabled in Tor Browser Bundle for user fingerprinting reasons. 24 
In addition to these reasons, iSEC would like to raise concerns with its security, as there is a small 
history of security vulnerabilities in the feature. Although Mozilla has conducted a security review, 25 
its complex featureset and API imply a large and complex codebase where vulnerabilities may reside. 

Recommendation: Continue to disable at the 'None' or Low security level, 
javascript. options. asmjs 

This setting controls the ASM.js feature in Firefox. Disabling this function will still allow JavaScript 
execution, but it will not be performed by the more optimized ASM.js engine. A few bugs have been 
present in the ASM.js codebase, but because of its constrained environment, exploitation may require 
more tricks as many of the common exploit techniques may not apply. 

Recommendation: Disable at the Medium security level. 
Ion JIT Compiler and Related Options 

At the request of the Tor Project, iSEC investigated three settings related to the newer Ion JIT Compiler: 

• javascript. options. ion. content 

• javascript. options. baselinejit. content 

• javascript. options. typeinference 

Ultimately, while disabling these features will remove code paths with a history of vulnerabilities - 
the public exploit pattern seems to be more focused around Use After Free vulnerabilities, and thus it 
does not seem it will remove code paths attackers actually target for exploitation. Additionally, iSEC 
understands that are user reports of having these settings disabled and experiencing poor performance, 
which much also factor into the decision. 

Recommendation: Disable at the Medium security level, 
webgl. disabled 

WebGL is a JavaScript API for rendering interactive 2D and 3D graphics in the < canvas > element. In 
2014 alone, it has been the source of 3 sec-critical, 3 sec-high, and 1 sec-moderate bugs in Mozilla's 
bugtracker. 

Recommendation: Disable at the Low or Medium security level, 
jar: protocol 

As explained in section 3.8 on page 25, the jar: protocol handler is a Firefox- specific feature that 
is largely unused on the broader Internet, mostly being used in Intranet sites. Its unusual nature, 
moderate complexity, and lack of widespread use make it a strong candidate for disabling. 

24 https : //trac .tor project .org/projects/tor/ticket/8382 

25 https : //wiki .mozilla .org/Secur ity /Reviews/ Firef ox4/ IndexedDB_Security_Re view 
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Recommendation: Disable at the Low security level using the supplied patch. 
SVG 

The SVG components have been the host of several exploitable bugs in the past several years. Un- 
fortunately, Firefox does not have a built-in preference to disable SVG, as it was removed 26 when it 
was determined that Firefox itself used SVG internally, and thus the preference could not be sup- 
ported. iSEC did not have time to investigate if SVG could be easily removed - an initial search yielded 
a potential function in content/svg/content/src/nsSVGFeatures . cpp, but this function does not 
control functionality and merely reports an answer for the document, implementation. hasFeature 
functionality check. 

Recommendation: Disable at the Low or Medium security level. 
JavaScript 

Clearly there are a number of bugs that fall into the JavaScript Core component. These bugs would be 
difficult to eliminate without entirely disabling JavaScript, which is required for most of the Web to 
function. 

Recommendation: Disable at the High security level. 
TLS Settings 

Most web browsers, including Firefox, do not have as strict settings on TLS as may be desired in certain 
situations. The Tor Project could consider preventing the use of RC4, removing protocol downgrades 
to TLS versions below TLS 1.2 or 1.1, requiring DHE ciphersuites, removing the option to click through 
self-signed certificates, or removing certain Certificate Authorities from the trust store. Revocation 
presents an interesting situation: on the privacy side there is an argument to disable remote OCSP 
queries to avoid leaking this data to a third party; but on the security side there is an argument for 
enforcing OCSP Hard Fail. 



https : //bugzilla .mozilla .org/show_bug. cgi?id=617448 
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3.4 Compiler Hardening 

Microsoft Windows 

iSEC investigated how the gitian build system compiled Tor Browser Bundle for Windows. While 
Mozilla builds Firefox using Microsoft Visual Studio compilers, gitian uses MinGW to compile Tor 
Browser Bundle using gcc on Linux targeting Windows. This affects many of the exploit mitigation 
technologies that are used on Windows. 

The -f stack-protector-all (or -f stack-protector-strong) options should be used to protect 
against stack-buffer overflows. Comments in descriptors/gitian-firefox.yml indicate that this 
setting is currently disabled. 

Examining the process in Process Explorer 27 revealed that Tor Browser Bundle does have Data Execu- 
tion Prevention (DEP) enabled, but it does not universally enable Address Space Layout Randomiza- 
tion (ASLR). The following components do not have ASLR enabled as of Tor Browser Bundle 3.6.1: 



1. browsercomps.dll* 

2. firefox.exe* 

3. feebl3.dll* 

4. gkmedias.dll* 

5. mozalloc.dll* 

6. mozglue.dll* 

7. mozjs.dll* 



8. mozsqlite3.dll 

9. nspr4.dll 

10. nss3.dll* 

11. nssckbi.dll* 

12. nssdbm3.dll* 

13. nssutil3.dll 

14. plc4.dll 



15. plds4.dll 

16. smime3.dll 

17. softokn3.dll* 

18. ssl3.dll 

19. xul.dll* 



Note: Items marked with a * are present in the vanilla Firefox ESR and are marked ASLR there. 
Items without a * are not present in the vanilla Firefox ESR distributable. The pefile python module, 
and the script located at http : //security . stackexchange . com/quest ion s/43681/how- can- i- detect- or- 
inventory-all-dlls-that-dont-use-aslr, can be used to check if ASLR is enabled programmatically. 

Also of note is that Firefox and Tor Browser on Windows are both 32-bit applications. The limited 
address space provided by 32-bit applications allows a good degree of confidence in exploits that 
spray the heap, a 64-bit build of the browser, combined with comprehensive ASLR, would make these 
exploits extremely unreliable. 

iSEC used dumpbin.exe /loadconfig (provided with Microsoft Visual Studio Express) to check if 
firefox.exe or the supporting dll's were compiled with SafeSEH, 28 and determined that in Firefox ESR 
they are, but in Tor Browser Bundle they are not. While investigating exception handling implementa- 
tions, iSEC determined that when gcc is used to cross-compile for Windows, gcc does not implement 
Structured Exception Handling, instead using "setjmp/longjmp"-based exception handling. 29 

However, when Firefox is compiled with gcc, it explicitly disables exception handling with the -f no- 
exceptions option. This appears to be intended only for Linux builds, but Tor Browser Bundle inherits 

27 http : //technet .microsoft . com/en- us/ sys interna Is/ bb89665 3 

28 Windows also provides the SEHOP option to harden against SEH exploitation; however, this is not a compiler option, 
and instead must be opted into via the Windows Registry: http://blogs.technet.eom/b/srd/archive/2009/ll/20 
/ sehop- per- process -opt- in- support- in- windows -7 . aspx. 

29 http : //gcc . gnu . org/wiki/WindowsGCCImprovements 
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the setting for Windows as well. iSEC believe that both Structured Exception Handling and setjmp- 
longjmp-based exception handling are missing from gcc-compiled code, but is uncertain if other Win- 
dows mechanisms may place exception handlers on the stack. 

In "ipc/chromium/src/base/process_util_win.cc"Firefoxsets EnableTerminationOnHeapCorruption, 3 ' 
but this function does not seem to actually be called except in a test suite. EnableTerminationOn- 
HeapCorruption applies to user-mode heaps created by HeapCreate( ) (which is called in "sqlite3.c" 
and has matches in "CityHash.dll" and "ApplicationID.dll") and the process heap (obtained by Get- 
ProcessHeap( ) and called in a few places in the codebase). According to Microsoft, 31 this setting has 
no impact on performance, so it is probably worth enabling. 

gcc has an experimental Virtual Table Verification feature. 32,33 This feature must be compiled into 
gcc which is unusual, but Tor Browser Bundle's deterministic build system already compiles gcc from 
source - however the feature is not in the gcc 4.6 branch, which is what Tor Browser Bundle uses 
currently. VTV aims to limit exploitation of Use After Free vulnerabilities by protecting the vtables of 
C++ objects. UAF accounts for a significant number of vulnerability types, and a significant number 
of exploitation vectors actually used in the wild. Integrating this could be very worthwhile. 

Another technique to mitigate UAF vulnerabilities is to reduce the number of vtable lookups, as these 
lookups often lead to code execution. If the class does not look up function pointers from attacker- 
controlled heap memory, the risk of code execution is reduced. Classes that are not overridden can 
be automatically marked 'sealed' or 'final', and their vtable calls turned into direct calls, also yielding 
a small performance improvement. Microsoft has performed this optimization on certain libraries in 
Internet Explorer. 34 

Update: Following discussions after the engagement, iSEC determined that Clang 35 and gcc as of 
4.9 36 also support this feature in some manner. It will be necessary to investigate gee's behavior 
more carefully to determine how to make use of it (for example, if the final attribute can be added 
automatically) . 

One final technique that is used in Chromium to mitigate UAF exploitation is separate heaps for DOM 
objects and strongly user-controlled objects like strings and vectors. PartitionAlloc separates these 
types of objects into different heaps. 



Apple OS X 



iSEC verified that Tor Browser Bundle on OS X has a non-executable stack (NX, also known as DEP on 
Windows) by checking that the threads' stacks have their permissions set to rw- using the vmmap tool. 

iSEC also checked the ASLR status using otool - hv on the firefox binary distributed in the Tor Browser 
Bundle App, and determined that it is lacking the PIE attribute - lacking the attribute opts the appli- 
cation out of ASLR on OS X. While reviewing the differences between the Tor Browser Bundle build 
process and Mozilla's, iSEC discovered that both Tor Browser Bundle and Firefox are built with the 10.6 
SDK. The primary difference is that Firefox is built with -arch x86_64 while Tor Browser Bundle is 

30 http : //blogs . msdn . com/b/oldnewthing/archive/2013/12/27/10484882 . aspx 
31 http : //msdn . microsoft . com/ en- us/library /bb430720 .aspx 
32 https : //gcc . gnu . org/wiki/vtv 

33 Microsoft Visual C++ Compiler has a feature called "vtguard" that provides similar functionality. 

34 http : //media . blackhat . com/bh- us - 12/Brief ings/M_Miller/BH_US_12_Miller_Exploit_Mitigation_ 
Slides . pdf 

35 http : //stackoverf low. com/quest ions/7538820/ how- does -the- compiler- benefit -from- cs- new- 
final- keyword 
36 http : //gcc . gnu . org/gcc-4. 9/ changes . html 
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built with -arch i386. Changing this setting should enable ASLR on OS X, as the ASLR in 10.6 is not 
applicable to x86 applications. 

However, the ASLR in OS X 10.5 and 10.6 (it was not upgraded in 10.6) is ineffective. It does not 
randomize the position of system libraries, only application libraries - so building ROP chains is still 
trivial thanks to the fixed addresses. It is not necessary to build with the 10.7 SDK once PIE is enabled, 
as the improved ASLR will take effect automatically on OS X version 10.7 and above, but it is important 
to note that OS X 10.6 and below are significantly less secure in this regard. 

While reading the build-helper scripts for OS X, iSEC noticed there are several typos in the -DMAX0SX_- 
DEPLOYEMENT TARGET option. To be used for its predefined purpose, this option should be MAC0SX_- 
DEPLOYMENT_TARGET 37 (MAC instead of MAX, and remove the extra 'E' in deployment.) Currently, this 
option has no effect, as the default deployment target if unset is the version of the SDK used (which is 
also 10.6). 

AppArmor Sandbox 

iSEC briefly read a provided local. tbb3.apparmor policy file, but did not have time to iterate on it 
or investigate the many permissions that are granted but commented for later review - these include 
allowing UDP packets and full tcp network access instead of only to 127.0.0.1. 

iSEC did notice that, through #include <abstractions/dbus-session>, access is to granted to the 
machine-unique identifier in the /var/lib/dbus/machine-id file. The man page for the dbus-uuidgen 
tool indicates that it should be able to be regenerated at every machine reboot. 



37 https : //developer .apple . com/ library /mac/document at ion/DeveloperTools /Conceptual/ cross 
development/Conf igu ring/ configuring. html 



Tor Project Confidential 



May 30, 2014 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 20 of 154 



3.5 Enabling Assertions 

iSEC spent some time looking at assertions within Tor Browser Bundle and the feasibility of enabling 
them in non-debug builds. The first pass of this involved modifying the system's assert. h file, replacing 
the line #ifdef NDEBUG with #ifdef TOR_NASSERT. This causes assert. h-based assertions to exist in 
non-debug builds. Minor code changes were required to address compilation errors. Most notably, 
sqlite3 had excessive compilation errors, likely due to its custom debug defines. As such, sqlite3 was 
changed to compile against an unmodified assert, h. The only other changes were in the libnestegg 
and dwarf libraries and required one change each to define a normally debug-only variable. See Ap- 
pendix E.l on page 47 for a sample of the patch to enable system asserts. 

After the successful compilation and execution of Tor Browser Bundle with assert. h-based assertions 
enabled, iSEC reviewed the Mozilla code for custom assertions. There were numerous custom assertion- 
type functions, largely defined in tor-browser/xpcom/glue/nsDebug.h. An attempt to enable these 
assertion methods resulted in a multitude of compilation errors. Similar to the errors seen when 
enabling the system assertions, these largely were due to debug-only variables and functions not being 
defined for use in the assertion function. Some time was spent trying to address these issues but it 
was determined that resolving all of them to make the browser buildable would likely take too much 
amount of time to complete successfully. 

While many situations are easily rectified using the DebugOnly<T> templated class, there are corner 
cases of variable assignment that would have to be tracked down. 

Instead of attempting to enable all assertions, enabling asserts in targeted classes was revisited with a 
focus on historically-vulnerable components. This included the reference counting classes of nsCOMPtr 
and nsRef Ptr as well as the JavaScript engine. Enabling the Mozilla-based assertions within the refer- 
ence counters was straightforward and had no apparent side effects. See Appendix E.2 on page 49 for a 
sample patch. Similarly, the Mozilla-based assertions were enabled in the JavaScript code with minimal 
complications. Upon initially building Tor Browser Bundle and performing basic web browsing, one 
of the JavaScript assertions was triggered. This was due to a missed debug-only function declaration 
but acted as validation that the assertions were being enabled. The JavaScript engine has its own set of 
assertions but enabling them proved more difficult with many more corner cases to hunt down. iSEC 
was successful in compiling the browser with JS assertions enabled, but the browser regularly crashes 
from failed assertions, most likely caused by missing debug variable declarations. See Appendix E.3 on 
page 59 for a sample of the latest patch. 
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3.6 Memory Allocator Replacement 

When exploiting memory corruption, one of the most important things to understand and manipulate 
is the application's memory allocator. Firefox's memory allocator is jemalloc, and it has been the 
subject of study for exploitation purposes 38 > 39 ' 40 ' 41 for Firefox and other open source projects that 
use it. 

Another popular memory allocator is TCMalloc, which is used in WebKit, and therefore Chrome, 
Safari, Android, BlackBerry and many other pieces of web browsing software. TCMalloc has also been 
the target of study for exploitation purposes, 42 and while very fast, does not provide as much security 
as other allocators. 

Google has recently created a new allocator for Blink named PartionAlloc 43 that was written with 
speed and security in mind. In particular, one of the mechanisms it uses to achieve more security is by 
using different memory arenas ('Partitions') for different types of allocations, for example rendering, 
buffering, and certain object models. Of note, they separate DOM objects from ArrayBuffers and 
strings, which makes Use After Free vulnerabilities more difficult to exploit. 44 

Because PartitionAlloc requires a partition choice, a new generic allocator, named ctmalloc 45 is in 
development for Chromium, ctmalloc uses PartitionAlloc on the backend, and places all allocations 
into a single Partition when called through the standard malloc()/free() interface. While this is simple, 
it does not provide all of the intended security benefits of ParitionAlloc. Furthermore, Firefox's use 
of malloc, and the malloc replacement API, do not easily lend themselves to explicitly choosing a 
partition. One idea offered by PartitionAlloc's developer was to create a number of partitions and 
segment allocations into those partitions based on a per-execution secret and the allocation location 
(from EIP). 



Overridding 

Swapping out the memory allocator in Firefox is not a trivial process. Fortunately, Mozilla already did 
it, and now it is as simple as building with "-enable-replace-malloc" and executing Firefox with 

1. OnGNU/Linux: 

$ LD_PRELOAD=/path/to/library.so firefox 

2. OnOSX: 

$ DYLD_INSERT_LIBRARIES=/path/to/library.dylib firefox 

3. On Windows: 

$ MOZ_REPLACE_MALLOC_LIB=drive:\path\to\library.dll firefox 

38 BlackHat 2012: https : //media . blackhat . com/bh- us- 12/Brief ings/Argyoudis/BH_US_12_Argyroudis_ 
Exploiting_the_%20jemalloc_Memory_%20Allocator_WP. pdf and https : //www.youtube . com/watch ?v= 
7kgGVPhB2fk 

39 In Phrack: http://phrack.Org/issues/68/10.html#article & http://phrack.Org/issues/68/13.html# 
article 

40 OWASP AppSec: http : / /census - labs . com/media/heap- owasp-appsec- 2012. pdf 

41 The Browser Hackers Handbook, http : //books .google. com/books?id=lXr0AgAAQBAD&pg=PT276Slpg=PT276 
&dq=exploiting+jemalloc&source=bl&ots=vdnwCXuuAD&sig=AB56x3njLjDh50yV5Z8seOj20Xk&hl=enSsa=X& 
ei=xlFyU5LnMf bMsQTyyYHoCg&ved=0CDwQ6AEwBDgK#v=onepageSq=exploiting%20jemallocSf =f alse 

42 http : //immunity inc . com/ infilt rate/a rc hives/webkit_hea p . pdf 

43 https : //chromium. googlesource . com/chromium/blink/+/master/Source/wtf /PartitionAlloc . h 
44 http ://nullcon. net /website/archives /download . php?f ilename=Chrome- OS -Security - 2014- New- 

and-f uture- hotness- by-Sumit-Gwalani . pdf 
45 https : //code .google . com/p/chromium/ is sues/detail ?id=339604 
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The issue that tracks adding the feature is Bugzilla #804303 46 and an excellent blog post explaining 
how to use it is at http://glandi.um. org/blog/?p=2848. 

iSEC successfully created a sample memory replacement library against Firefox ESR 24, the patch is 
included in Appendix F.l on page 145. 

Replacing with ctmalloc 

iSEC used the ctmalloc-0.0.2.tar.gz release from the chromium project 47 as a base for building a 
malloc replacement library. While iSEC changed all ASSERT's in the files to RELEASE_ASSERT's for 
debugging purposes, the major adaptations took place in malloc. cpp, which is included in Appendix F.2 
on page 148. 

Using this library causes Tor Browser Bundle to crash in sqlite3. c : sqlite3VdbeMakeReady - de- 
bugging indicates this is because growOpArray will eventually call into moz_malloc_usable_size. 
The usable_size function is not overridden by ctmalloc, and thus goes into the jemalloc routines, 
which do not know about the pointer, and returns 0. This makes nOpAlloc 0, eventually causing 
the segmentation fault. 

In the time allocated, iSEC did not have time to develop a usable_size function for ctmalloc, but the 
next steps for continuing this effort will be to do so. It will probably be necessary to override all malloc 
functions defined by the replace_malloc API. 

Update: Following the engagement and conversations with PartitionAlloc's developer, iSEC used an 
updated version of PartitionAlloc that implements usable_size. This successfully compiled and ran 
Tor Browser using ctmalloc. Further development is needed to implement the partitioning scheme 
suggested. Appendix F.2 on page 148 contains the updated code. 



46 https : //bugzilla .moz ilia .org/ show_bug. cgi?id=804303 
47 https : //code. google . com/p/chromium/issues/detail?id=339604 



May 30, 2014 Tor Project Confidential Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 23 of 154 



3.7 Media Formats 

Firefox has numerous media formats supported by the audio and video elements. 48 Currently, Firefox 
directly supports Ogg (Opus and Vorbis) and Wav audio formats. The AAC and MP3 audio formats 
are also supported indirectly by relying on support from the operating system or hardware. For video, 
Firefox supports WebM (VP8 and VP9), and Ogg (Theora). Similar to AAC and MP3, Firefox indirectly 
supports MP4 (H.264) via OS or hardware support. 

iSEC investigated historical bug patterns in these components with an attempt to determine if any are 
concerning or overwhelmingly unused on the web. Of particular interest are those controlled by five 
easy-to-change about:config settings, tested on Firefox 29: 49 

1. media. ogg.enabled - Disables .OGG-based and .OPUS-based <audio> and .OGV-based <video> 
elements 

2. media. opus. enabled - Disables .OPUS-based <audio> elements 

3. media.wave. enabled - Disables .WAV-based <audio> elements 

4. media.webm. enabled - Disables .WEBA-based <audio> and .WEBM-based <video> elements 

5. media.apple.mp3. enabled - Disables .MP3-based <audio> elements (Mac only) 

Due to the complexities of audio and video parsing, these components are prone to many bugs, includ- 
ing severe security vulnerabilities. Firefox already has a fairly limited set of supported media formats, 
however for Tor Browser Bundle it may be best to have media support disabled by default. By requiring 
users to enable audio or video support on-demand when required by a website, it reduces the risk to 
these vulnerable formats by limiting unintended processing of potentially malicious audio or video 
files. Also, as VP9 gains in popularity, VP8 support can be phased out, further reducing attack surface. 



48 https : //developer .mozi 11a .org/en- US/doc s/HTML/Supported_media_formats 

49 These settings were tested using http : //hpr . dogphilosophy . net /test/, http: //www. leanbackplayer . com/ 
t est /h5mt . html, and http://www.quirksmode.org/html5/tests/vldeo.html 
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Historic Security Issues in Media Components 



The following table includes only bugs iSEC identified in the media decoders, and do not include bugs 
occurring in the DOM or JS Cores as a result of the <audio>, <video>, or <canvas> elements. 



Title 


Impact 


Component 


Identifier 


Use after free reading OGG headers 


Critical 


OGG 


CVE-2011-3005 


Heap Buffer Overflow Decoding WAV 
Data 


Critical 


WAV Audio 


CVE-2012-4186 


Potential Memory Corruption When 
Decoding Ogg Vorbis files 


Critical 


OGG 


CVE-2012-0444 


Use After Free in WAV Audio Seeking 


Critical 


WAV Audio 


Bugzilla 821737 (12/2012) 


Heap Buffer Overflow in Opus Play- 
back 


Critical 


OGG 


Bugzilla 812847 (11/2012) 


Crash in Opus Packet 


Critical 


OGG 


Bugzilla 816994 (11/2012) 


Crash in WebMReader 


High 


OGG 


Bugzilla 813562 (11/2012) 


Out of bounds read during WAV file 
decoding 


High 


WAV Audio 


CVE-2014-1497 


Crash during WAV audio file decod- 


Low 


WAV Audio 


CVE-2013-1708 


ing 









Crash during OGG encoding Low OGG Bugzilla 927579 (10/2013) 
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3.8 Protocol Handlers 

iSEC began investigating protocol handlers in Tor Browser Bundle. While the initial concerning proto- 
cols, such as mailto: , tel : , news ://, and gopher: // launch external programs or are disabled, some 
other protocols are also interesting. 

In particular, iSEC investigated the jar: protocol, which is only supported by Firefox and does not 
seem to be widely used on the web. This protocol supports URIs of the form jar:https : //example, com/ 
samplearchive. jar !/dir/f ile. html, which will open a file contained inside of a zip file. Because large 
swathes of file types are actually zip files (including .docx, .odt, etc), and that file runs in the context 
of the hosting domain, there is a possibility for malicious uploads leading to JavaScript execution in 
the hosting domain's origin. 50 To restrict this, the network, jar .open-unsafe-types setting 51 was 
added 52 and is set to 'false' by default, which does not allow the protocol handler to work unless 
the MIME type is application/java-archive or application/x- jar (which in Apache, happens 
automatically if the filetype is .jar). 

iSEC explored the possibility of completely disabling the jar : protocol but discovered that, internally, 
Tor Browser Bundle maps the app:// protocol implementation to the jar: protocol 53 and uses it 
extensively. iSEC created a patch that defines a setting, network, jar. block-remote-files that will 
prevent Tor Browser Bundle from opening any remote jar files, regardless of MIME type. This patch is 
included in Appendix D on page 45. 

Other protocols of interest that have had security vulnerabilities in the past include data : 54 and view- 
source: //; however, these are widely used on the web or integral to the functioning of Tor Browser 
Bundle. 



http : //www. gnu citizen .org/blog/web- mayhem- f iref oxs- jar- protocol- issues/ 

http://kb.mozillazine.org/Network.jar.open-unsafe-types 

https : //bugzilla .mozilla .org/show_bug. cgi?id=369814 

http : //dxr .mozilla .org/moz ilia- central/ sour ce/netwerk/protocol/app/AppProtocolHa ndler. cpp 
https : //bugzilla .mozilla .org/ show_bug. cgi?id=255107 
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3.9 Exposed DOM Objects Enumeration 

iSEC identified two ways to enumerate DOM objects exposed by Firefox. These mechanisms will help 
identify components that should be examined further with a focus on fuzzing, code coverage, privacy, 
or disabling them entirely. 

The first is the WeblDLs specified in tor-browser/dom/webidl. These interface definitions represent 
new DOM components added as a result of W3C specifications - however, iSEC believes not all DOM 
components exposed are enumerated in WeblDL files. 

The DOM test at dom/tests/mochitest/general/test_interf aces . html is another location that 
aims to enumerate all objects in the global namespace. The dom/bidings/Bindings . conf file maps 
these objects to implementations. 

More about WeblDLs, DOM object enumeration and bindings can be found at https: //developer, 
mozilla . org/en- US/doc s/Mozilla/WebIDL_bindings. 

3.10 Preference Comparison 

iSEC also identified the modules/ libpref /src/init/all . js file, which appears to contain most pref- 
erences set by Firefox and Tor Browser Bundle. iSEC used this file to determine the defaults of pref- 
erences as they change between releases. Tor Project could similarly use this file to track changes 
between ESR releases and attempt to determine if any features have been enabled that may be relevant 
to the security slider. 

3.11 TBB Tests 

Using the data from section 3.9, iSEC believes several candidate tests can be created for Tor Browser 
Bundle. In the short term, these tests are more related to compile-time options, and thus are better 
suited for the upcoming migration to Firefox ESR 31, along with the preference file explained in sec- 
tion 3.10. The DOM enumeration from section 3.9 can be used to review additional features merged 
into the browser and review them for privacy concerns. Longer-term, these tests will likely be integral 
in detecting regressions on the security slider. 

iSEC has created a sample test in Appendix B on page 30 that uses the list from dom/tests/mo- 
chitest/general/test_interf aces . html to enumerate unexpected DOM objects, expected-but-mi 
ssing DOM objects, and expected-and-seen DOM objects. Note that due to the original test_inter- 
faces.html using special post-compilation test harness capabilities (the SpecialPowers interface), 
this list contains a significant number of unexpected and expected-but-missing DOM objects currently. 
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3.12 browser.fixup.alternate 

From a careful reading of the Cure53 SecureDrop Report, 55 iSEC was alerted to to the browser, fixu 
p. alternate Firefox settings, which under certain circumstances may automatically append a suffix 
(such as .com) to URLs. The risk is that the browser attempts to contact a Hidden Service, is unable, 
and automatically appends .com in an attempt to resolve it. 

iSEC investigated the relevant about : conf ig settings: 

1. browser.fixup.alternate. suffix - The suffix, by default ".com", added when a user hits Con- 
trol+Enter (or on Mac, Meta+Enter) with a single word, to transform "example" into http:// 
www.example.com. This value is also used in conjunction with the prefix in nsDefaultURI- 
Fixup: :MakeAlternateURI, explained below. 

2. browser.fixup.alternate. prefix - The prefix, by default "www.", used in nsDefaultURI- 
Fixup: :MakeAlternateURI in docshell/base/nsDefaultURIFixup.cpp, which is called by nsDe- 
faultURIFixup : : CreateFixupURI. The latter function is called in a few places throughout the 
codebase as documented in Appendix C on page 43 and may lead to information disclosure. 

3. browser .fixup. alternate, enabled - The preference that controls whether the prefix and suf- 
fixed URIswill be tested in nsDefaultURIFixup: :MakeAlternateURI 

Neither Cure53, iSEC, or the Tor Project were able to induce a fixup of a .onion address. However, it is 
possible that this functionality may change in the future. Because the browser .fixup. alternate, en 
abled preference is only used in a single location to control testing alternate URLs, iSEC recommends 
that Tor Project investigate disabling this preference, or further asserting that .onion URLs will not be 
inadvertently leaked if they cannot be contacted. 



https : // cure53.de/pent est - report_securedrop. pdf 
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Appendices 

A Bug Classification Glossary 

iSEC used the following approximate definitions to guide categorizing bug categories: 

• Use After Free (UAF) - A pointer refers to an object that has been freed, and is subsequently 
dereferenced, leading to use of memory an attacker may control. 

• Heap Overwrite - Data is written outside the bounds of the object's allocated heap space 

• Heap Overread - Data is read outside the bounds of the object's allocated heap space 

• Stack Based Buffer Overwrite - Data is written outside the bounds of the object's allocated stack 
space 

• Memory Leak - Data is disclosed through appropriate buffer bounds, but refers to previously 
used memory (such as pointers) 

• Data Leak - Information about the user's computer, such as local files or screen contents, are 
exposed. 

• Assert - Triggers an assertion in the code 

• Use of Uninitialized Memory (UUIM) - Application code uses an uninitialized value, which may 
be controlled by an attacker 

• Type Confusion - Application code interprets an object of one type as another type 

• Null Dereference - Application code attempts to dereference a Null pointer 

• Double Free - Application Code frees an object twice, possibly corrupting the Heap metadata. 
Likewise, iSEC would like to make the following notes about certain components: 

• Many of the DOM Core bugs have test cases that use JavaScript to put the DOM in the correct 
state. It is likely that many of the DOM Core bugs will become unexploitable if JavaScript is 
disabled. 

• In the beginning of classification, iSEC was unfamiliar with the distinction between the general 
JavaScript Core and the newer Ion JIT engine that can be disabled. Some of the JS Core bugs may 
belong to the Ion JIT engine. 

• In general, this process is imperfect and is designed only to be a rough guide. 
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B Tor Browser Bundle DOM Tests 



<html> 
<head> 

<title>Tor Browser DOM Test</title> 
</head> 
<body > 

<div style="text -align : center" ><hl>TBB DOM Tests</hlx/div> 
<h2>Unexpected 0bjects</h2> 

<p>These objects were not expected to be present in the Global Namespace. They should 

be carefully examined for security and privacy considerations . </p> 
<div id = "unexpectedNames"x/div> 

<h2>Unseen Ob jects</h2> 

<p>These objects were expected to be present in the Global Namespace, but were not. 
They indicate some lack of understanding between how the browser is built and how 
the interf aceNamesInGlobalScope is defined. </p> 
<div id = " unseenNames " ></div> 

<h2>Expected 0bjects</h2> 

<p>These objects were expected to be found, and were.</p> 
<div style = "font - size : smaller " id = " seenNames " ></div> 

< script type=" application /javascript "> 
var ob jectsIDontCareAbout = 
[ 

interfaceNamesInGlobalScope", 
objectsIDontCareAbout", 
Object", 
Function", 
eval " , 
window" , 
document " , 
undefined " , 
Boolean " , 
Date" , 
Math", 
isNaN", 
isFinite " , 
parseFloat " , 
parselnt " , 
NaN", 

Infinity" , 
Number" , 
String", 
escape" , 
unescape", 
uneval " , 
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"decodeURI" , 
" encodeURI " , 
"decodeURIComponent", 
"encodeURIComponent", 
"Error" , 

" InternalError " , 

" EvalError" , 

" RangeError " , 

"ReferenceError", 

"SyntaxError" , 

"TypeError" , 

"URIError", 

"RegExp" , 

" Iterator " , 

"Stoplteration " , 

" Int8Array " , 

"Uint8Array " , 

" Intl6Array " , 

"Uintl6Array " , 

" Int32Array " , 

"Uint32Array " , 

" Float32Array " , 

" Float64Array " , 

"Uint8ClampedArray", 

"DataView" , 

"ArrayBuf f er" , 

"WeakMap " , 

"Map", 

"Set", 

"Proxy" , 

"Image" 

]; 

//Taken from Tor Browser's dom/tests/mochitest/general/test_interf aces . html 
var interf aceNamesInGlobalScope = 
[ 

"AnimationEvent", 
"Array" , 

" AsyncSc roll Event Detail " , 

"Attr", 

" BarProp " , 

" BatteryManager " , 

"BeforellnloadEvent", 

"Blob", 

" BlobEvent " , 

" BoxOb ject " , 

"CameraCapabilities", 

"CameraControl " , 

"CameraManager " , 

"CanvasGradient", 

"CanvasPattern " , 

"CanvasRenderingContext2D", 
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'CDATASection" , 

'CharacterData " , 

'ChromeWindow" , 

'Clientln formation", 

'ClientRect", 

'ClientRectList " , 

'ClipboardEvent " , 

'CloseEvent " , 

'CommandEvent " , 

'Comment " , 

'Composition Event", 

'Contact", 

'Contact Manager", 

'Controllers " , 

'Counter " , 

'CRMFObject", 

'Crypto" , 

'CryptoDialogs " , 

'CSS2Properties " , 

'CSSCharsetRule", 

'CSSConditionRule", 

'CSSFontFaceRule", 

' CSS Fon t Feat u revalues Rule" , 

'CSSGroupingRule", 

'CSSImportRule" , 

'CSSMediaRule" , 

'CSSMozDocumentRule", 

'CSSPageRule" , 

'CSSPrimitiveValue" , 

'CSSRule", 

'CSSRuleList", 

'CSSStyleDeclaration", 

'CSSStyleRule", 

'CSSStyleSheet", 

'CSSSupportsRule", 

'CSSUnknownRule " , 

'CSSValue", 

'CSSValueList", 

'CustomEvent " , 

'DataChannel " , 

'DataContainerEvent", 

'DataErrorEvent " , 

'DataTransf er" , 

'DesktopNotification", 

'DesktopNotificationCenter", 

'DeviceAcceleration", 

'DeviceLight Event", 

' DeviceMot ion Event " , 

'DeviceOrientation Event", 

'DeviceProximityEvent", 

'DeviceRotationRate", 
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'DeviceStorage" , 
'DeviceStorageChangeEvent", 
'DeviceStorageCursor", 
'Document", 
' DocumentFragment", 
'DocumentTouch" , 
'DocumentType" , 
'DocumentXBL " , 
'DOMCursor" , 
'DOMError" , 
'DOMException " , 
'DOMImplementation " , 
'DOMRequest", 
■DOMSettableTokenList" , 
'DOMStringList " , 
'DOMStringMap" , 
'DOMTokenList" , 
'DOMTransactionEvent " , 
'DragEvent " , 
'Element " , 

'ElementCSSInlineStyle", 
'ElementReplaceEvent", 
'ElementTimeControl", 
' Event " , 

' Event Listener " , 

'EventListenerlnfo", 

' EventSource" , 

' EventTarget " , 

'File", 

' FileHandle " , 

'FileList" , 

' FileReader" , 

' FileRequest " , 

' FocusEvent " , 

' Font Face " , 

' FontFaceList " , 

' FormData " , 

'Gamepad", 

'Game pad Axis Move Event " , 

'GamepadButtonEvent", 

'GamepadEvent " , 

'GeoGeolocation", 

'GeoPosition " , 

'GeoPositionCallback", 

'GeoPositionCoords", 

'GeoPositionError", 

'GeoPositionErrorCallback", 

'GetUserMediaErrorCallback " , 

'GetUserMediaSuccessCallback' 

'GlobalObject Constructor", 

'GlobalPropertylnitializer", 
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'HashChangeEvent", 
'History " , 

'HTMLAnchorElement", 

' HTM LApplet Element" , 

' HTM LArea Element" , 

' HTM LAudio Element", 

'HTMLBaseElement" , 

'HTMLBodyElement" , 

'HTML BR Element " , 

'HTML Butt on Element" , 

'HTMLByteRanges " , 

' HTM LCanvas Element" , 

'HTMLCollection" , 

'HTMLCommand Element" , 

'HTMLDataListElement", 

'HTMLDirectoryElement", 

'HTMLDivElement " , 

'HTMLDListElement", 

'HTMLDocument " , 

'HTMLElement", 

' HTM LEmbed Element", 

'HTMLFieldSet Element", 

'HTMLFontElement", 

'HTMLFormElement " , 

'HTMLFrameElement", 

'HTMLFrameSetElement", 

'HTMLHeadElement", 

'HTMLHeadingElement", 

'HTMLHRElement " , 

'HTMLHtmlElement", 

'HTMLIFrameElement", 

'HTMLImageElement", 

' HTM LInput Element", 

'HTMLLabelElement", 

'HTML Legend Element", 

'HTMLLIElement " , 

'HTMLLinkElement", 

'HTMLMapElement", 

' HTM LMedia Element", 

' HTM LMenu Element " , 

'HTMLMenuItemElement", 

'HTMLMetaElement", 

' HTM LMeter Element " , 

'HTMLModElement", 

'HTMLObjectElement", 

'HTMLOListElement", 

'HTMLOptGroupElement", 

' HTM LOpt ion Element", 

'HTMLOptionsCollection", 

' HTM LOut put Element" , 

'HTMLParagraphElement", 
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'HTMLParamElement", 

'HTMLPreElement " , 

'HTMLProgressElement", 

'HTMLPropertiesCollection", 

' HTM LQuote Element" , 

' HTM LScript Element" , 

' HTM LSelect Element " , 

'HTMLSourceElement", 

'HTMLStyleElement", 

' HTM LTableCapt ion Element" , 

'HTMLTableCellElement" , 

'HTMLTableColElement" , 

'HTMLTableElement", 

'HTMLTableRowElement " , 

' HTM LTableSect ion Element" , 

'HTMLTextAreaElement", 

'HTMLTitleElement" , 

'HTMLUListElement", 

'HTMLUnknown Element" , 

'HTMLVideoElement", 

' IDBCursor" , 

' IDBCursorWithValue" , 

'IDBDatabase" , 

'IDBFactory", 

'IDBIndex", 

'IDBKeyRange" , 

'IDBObjectStore" , 

' IDBOpenDBRequest " , 

'IDBRequest", 

' IDBTransaction " , 

' IDBVersionChangeEvent " , 

' ImageData " , 

' ImageDocument " , 

'DSON" , 

' JSWindow" , 

' Key Event " , 

' LinkStyle " , 

' LoadStatus " , 

' LocalMediaStream", 

' Location " , 

' LockedFile " , 

'LSProgress Event", 

'MediaError" , 

'MediaList " , 

'MediaQueryList " , 

'MediaQueryListListener", 

'MediaStream" , 

'MessageEvent " , 

'MimeType", 

'MimeTypeArray " , 

'ModalContentWindow". 
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'HouseEvent " , 

'MouseScrollEvent", 

'MozAlarmsManager", 

'MozApplicationEvent", 

'MozBlobBuilder " , 

'MozBrowserFrame", 

'MozCanvasPrintState", 

'MozConnection " , 

'MozContactChangeEvent", 

'MozCSSKeyframeRule"j 

'MozCSSKeyframesRule", 

'MozMmsEvent " , 

'MozMmsMessage " , 

'MozMobileCelllnfo"., 

'MozMobileConnectionInfo" J 

'MozMobileMessageManager", 

'MozMobileMessageThread", 

'MozMobileNetworklnfo", 

'Moz Named At trMap" , 

' MozNavigatorMobileMessage " , 

'MozNavigatorNetwork", 

'MozNavigatorSms", 

'MozNavigatorTime", 

' MozNetworkStats " , 

'MozNetworkStatsData", 

' MozNetworkStatsManager" , 

'MozPowerManager" , 

'MozSet tings Event", 

'MozSmsEvent " , 

'MozSmsFilter" , 

'MozSmsManager " , 

'MozSmsMessage" , 

'MozSmsSegmentlnfo", 

'MozTimeManager " , 

'MozTouchEvent " , 

'MozWakeLock" , 

'MozWakeLockListener", 

'MutationEvent " , 

'MutationObserver", 

'HutationRecord " , 

'Navigator" , 

' NavigatorCamera", 

'NavigatorDesktopNotification", 

'NavigatorDeviceStorage", 

'NavigatorGeolocation", 

'NavigatorllserMedia", 

'Node" , 

' NodeFilter " , 

' Nodelterator " , 

' NodeList " , 

' NodeSelector" . 
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' Not if yAudioAvai la ble Event " , 

'Notify Paint Event", 

'NSEditableElement" , 

'NSEvent", 

' NSRGBAColor " , 

'NSXPathExpression", 

' Of f lineResourceList " , 

'OpenWindow Event Detail", 

'PageTransitionEvent", 

' PaintRequest " , 

'PaintRequestList", 

'Parser" , 

' ParserJS " , 

'PaymentRequestlnfo", 

'Performance" , 

' Perf ormanceNavigation " , 

'PerformanceTiming", 

'PermissionSettings", 

'Pkcsll", 

' Plugin " , 

' PluginArray " , 

' PopStateEvent " , 

'PopupBlockedEvent", 

'Processinglnstruction", 

' ProgressEvent " , 

' Property Node Li st " , 

' PushManager " , 

'Range", 

'Rect" , 

' RequestService " , 
'RGBColor", 
'RTCIceCandidate" , 
' RTCPeerConnection " , 
'RTCSessionDescription", 
'Screen " , 

'ScrollArea Event", 
'Selection " , 
'Serializer" , 
'SettingsLock" , 
'SettingsManager", 
'SimpleGestureEvent", 
' SmartCardEvent " , 
'SpeechRecognitionError", 
'SpeechRecognition Event", 
' Speech SynthesisEvent", 
'Storage" , 
'StorageEvent " , 
'StoragelndexedDB", 
'Storageltem" , 
'StorageManager " , 
'StorageObsolete", 
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'StyleRuleChangeEvent", 
'Stylesheet " , 

' StyleSheetApplicableStateChange Event"., 

'StyleSheetChangeEvent", 

'StyleSheetList" , 

'SVGAElement" , 

'SVGAltGlyph Element", 

'SVGAngle", 

'SVG Animated Angle " , 

'SVGAnimatedBoolean " , 

'SVGAnima ted Enumeration " , 

'SVGAnimated Integer" , 

' SVG Animated Length " , 

' SVGAnimated Length Lis t " , 

'SVGAnimatedNumber" , 

' SVGAnima tedN umber Lis t " , 

'SVGAnimatedPathData", 

' SVGAnimated Point s " , 

' SVGAn ima tedPreserveAs pec t Ratio " , 

'SVGAnimatedRect" , 

' SVGAn ima ted St ring" , 

' SVGAn imatedTransf ormLi st " , 

' SVGAn imate Element " , 

' SVGAn imateMot ion Element " , 

' SVGAn ima t eTra n sf orm Element " , 

' SVGAn i mat ion Element " , 

'SVGCircleElement " , 

'SVGClipPath Element" , 

'SVGComponentTransf erFunct ion Element " , 

'SVGDef sElement " , 

'SVGDesc Element " , 

' SVGDocument " , 

'SVGElement", 

'SVGEllipseElement " , 

'SVGEvent" , 

'SVGFEBlendElement" , 

'SVGFEColorMatrix Element " , 

'SVGFEComponent Transfer Element " , 

'SVGFECompositeElement " , 

' S VG F E Co n vol veMatrix Element " , 

'SVGFEDif fuse Light ingElement " , 

' SVGFEDisplacementMapElement " , 

'SVGFEDistant Light Element" , 

' SVGFE Flood Element " , 

' SVGFEFuncAElement " , 

' SVGFEFuncBElement " , 

'SVGFEFuncGElement" , 

' SVGFEFuncRElement " , 

'SVGFEGaussianBlur Element " , 

'SVGFE Image Element " , 

'SVGFEMerge Element " , 
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'SVGFEMerge Node Element " , 
' SVG FEMorp ho logy Element " , 
'SVGFEOff set Element", 
'SVGFEPoint Light Element", 
' SVGFESpecu la r Light ingElement " , 
'SVGFESpot Light Element", 
'SVGFETileElement", 
'SVGFETurbulenceElement " , 
'SVG Filter Element " , 

'SVGFilterPrimitiveStandardAtt ributes " , 

'SVGFitToViewBox" , 

'SVGForeignOb ject Element " , 

'SVGGElement", 

'SVGGradient Element " , 

' SVG Image Element " , 

'SVGLength", 

'SVGLengthList", 

' SVG Li nearGradient Element " , 

'SVGLineElement " , 

'SVGLocatable", 

' SVGMarker Element " , 

'SVGMaskElement", 

'SVGMatrix", 

'SVGMetadata Element", 

'SVGMpathElement", 

' SVGNumber " , 

' SVGNumberList " , 

'SVGPathElement", 

'SVGPathSeg", 

'SVGPathSegArcAbs", 

'SVGPathSegArcRel", 

'SVGPathSegClosePath", 

' SVGPathSegCurvetoCubicAbs " , 

'SVGPathSegCurvetoCubicRel " , 

' SVGPathSegCurvetoCubicSmoothAbs " , 

' SVGPathSegCurvetoCubicSmoothRel " , 

' SVGPathSegCurvetoQuadraticAbs " , 

' SVGPathSegCurvetoQuadraticRel " , 

' SVGPathSegCurvetoQuadraticSmoothAbs " , 

' SVGPathSegCunvetoQuadraticSmoothRel " , 

'SVGPathSegLinetoAbs " , 

' SVGPathSeg Li net oHorizont a lAbs " , 

'SVGPathSegLinetoHorizontalRel" , 

'SVGPathSegLinetoRel", 

' SVGPathSeg Li net oVe rt i ca 1 Ab s " , 

'SVGPathSegLinetoVerticalRel" , 

'SVGPathSegList", 

' SVGPathSegMovetoAbs " , 

'SVGPathSegMovetoRel", 

' SVG Pattern Element " , 

'SVGPoint" , 
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'SVGPointList", 

' SVG Polygon Element " , 

'SVG Poly line Element " , 

'SVGPreserveAspect Ratio" , 

'SVGRadialGradient Element " , 

'SVGRect", 

'SVGRectElement" , 

' SVGScript Element " , 

'SVGSetElement", 

'SVGStopElement " , 

'SVGStringList", 

'SVGStylable" , 

'SVGStyleElement" , 

'SVGSVGElement", 

' SVGSwitch Element " , 

'SVG Symbol Element " , 

'SVGTests", 

'SVGText Con tent Element " , 
'SVGText Element " , 
' SVGText PathElement", 
'SVGText Posit ion ingElement" , 
'SVGTitleElement" , 
'SVGTransf orm" , 
'SVGTransf ormable " , 
'SVGTransf ormList " , 
'SVGTS pan Element " , 
'SVGUnitTypes" , 
'SVGURIReference" , 
'SVGUseElement", 
'SVGViewElement " , 
'SVGViewSpec " , 
'SVGZoomAndPan" , 
'SVGZoomEvent " , 
'TCPSocket", 
'Text", 

'TextHetrics " , 
'TimeEvent " , 
'TimeRanges " , 
'ToString" , 
'Touch " , 
'TouchEvent " , 
'TouchList " , 
'Transition Event", 
'TreeColumn " , 
'TreeColumns " , 
'TreeContentView" , 
'TreeSelection " , 
'TreeWalker" , 
'UIEvent", 
'UndoManager" , 
'URL", 
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"UserDataHandler", 
'UserProximityEvent", 
" USSDReceivedEvent", 
"ValidityState" , 
"WebGLRenderingContext", 
" WebSocket " , 
" WheelEvent " , 
"Window" , 

" WindowCol lection " , 

"Windowlnternal", 

"WindowPerformance", 

" WindowUtils " , 

"XMLDocument " , 

"XHLHttpRequest" , 

"XMLHttpRequestEventTarget", 

"XMLHttpRequestUpload", 

"XPathEvaluator" , 

"XPathExpression", 

"XPathNamespace", 

"XPathNSResolver" , 

"XPathResult" , 

"XSLTProcessor " , 

"XULButtonElement", 

"XULCheckbox Element" , 

"XULCommandDispatcher", 

"XULCommand Event " , 

"XULContainerElement", 

"XULContainerltemElement"., 

"XULControl Element " t 

"XULDescriptionElement", 

"XULDocument " , 

"XULElement" , 

"XUL Image Element " , 

"XULLabeledControlElement", 

"XULLabelElement" , 

"XULMenuListElemenf'j 

"XULMultiSelectControlElement". 

"XULPopupElement " , 

"XUL Related Element " , 

"XULSelectControl Element" , 

"XULSelectControlItemElement", 

"XULTemplateBuilder" , 

"XULText Box Element" , 

"XULTreeBuilder" , 

"XULTreeElement". 



var populateLists = function() { 
var seenList = []; 
var unseenList = []; 
var unexpectedList = []; 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 42 of 154 



var allObjects = Object . getOwnPropertyNames (window) ; 
for(var i in allObjects) { 
name = allObjects [ i ] ; 

if ( interf aceNamesInGlobalScope . indexOf ( name ) >= 0 | j 
objectsIDontCareAbout . indexOf (name) >= 0){ 
seenList.push(name); 

} 

else { 

unexpected List. push (name); 

} 

} 

for(var i in interf aceNamesInGlobalScope ) { 
name = interf aceNamesInGlobalScope [ i ] ; 
if (allObjects . indexOf (name) < 0) { 
unseenList.push(name); 

} 

} 

unseenNames = '<ol>'; 
for(var i in unseenList) { 

unseenNames += '<li>' + unseenList [ i ] + '</li>\n'; 

} 

unseenNames += '</ol>'; 

seenNames = ' <ol> ' ; 
for(var i in seenList) { 

seenNames += '<li>' + seenList[i] + '</li>\n'; 

} 

seenNames += ' </ol>'; 

unexpectedNames = '<ol>'; 
for(var i in unexpectedList ) { 

unexpectedNames += '<li>' + unexpectedList [i] + '</li>\n'; 

} 

unexpectedNames += '</ol>'; 

document . getElementByld (' unseenNames '). innerHTML = unseenNames; 

document . getElementByld (' seenNames '). innerHTML = seenNames; 

document. getElementByld ('unexpectedNames'). innerHTML = unexpectedNames; 

} 

setTimeout ( populateLists , 1000); 

</script> 

</body > 
</html> 

Listing 1: Enumerating DOM Objects 
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C CreateFixupURL Calls 

nsDef aultURIFixup: :CreateFixupURI will only use the browser .fixup. alternate . suffix value to 
create a new URI if the flag FIXUP_FLAGS_MAKE_ALTERNATE_URI is provided. Searching for this 
flag yields the following two results: 

NS_IMETHODIMP 

nsScriptSecurityManager::CheckLoadURIStrWithPrincipal(nsIPrincipal* aPrincipal, 
const nsACString& aTargetURIStr , uint32_t aFlags) { 

nsresult rv; 

nsCOMPtr<nsIURI > target; 

rv = NS_NewURI(getter_AddRef s(target), aTargetURIStr , 

nullptr, nullptr, slOService); 
NS_ENSURE_SUCCESS(rv, rv); 

rv = CheckLoadURIwithPrincipal ( aPrincipal , target, aFlags); 
NS_ENSURE_SUCCESS(rv, rv); 

// Now start testing fixup -- since aTargetURIStr is a string , not 
// an nsIURIj we may weLL end up fixing it up before Loading. 
// Note: This needs to stay in sync with the nsIURIFixup api . 
nsCOMPtr<nsIURIFixup> fixup = do_GetService(NS_URIFIXUP_CONTRACTID) ; 
if (Ifixup) { 
return rv; 

} 

uint32_t flags [] = { 



nsIURIFixup : 


: FIXUP 


_F LAG_ 


.NONE , 




nsIURIFixup : 


: FIXUP 


_FLAG. 


_ALLOW_KEYWORD_ 


.LOOKUP 


nsIURIFixup : 


:FIXUP_ 


FLAGS. 


_MAKE_ALTERNATE_ 


.URI, 


nsIURIFixup : 


: FIXUP 


_FLAG. 


_ALLOW_KEYWORD 


_LOOKUP 


nsIURIFixup : 


:FIXUP_ 


FLAGS. 


_MAKE_ALTERNATE_ 


.URI 



}; 

for (uint32_t i = 8; i < ArrayLength (flags ) ; ++i) { 

rv = fixup - >CreateFixupURI ( aTargetURIStr , flags[i], nullptr, 

getter_AddRef s (target) ) ; 

NS_ENSURE_SUCCESS(rv, rv); 

rv = CheckLoadURIwithPrincipal ( aPrincipal , target, aFlags); 
NS_ENSURE_SUCCESS(rv, rv); 

} 

return rv; 



Listing 2: caps/src/nsScriptSecurityManager.cpp 
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// Edited sLightLy for brevity 

// Now try change the address, e.g. turn http://foo into 
// http://uuu.foo.com 

if (aStatus == NS_ERROR_UNKNOWN_HOST | | 
aStatus == NS_ERROR_NET_RESET) { 
bool doCreateAlternate = true; 

// Skip fixup for anything except a normal document Load 
// operation on the topframe . 
if (mLoadType != LOAD_NORMAL || lisTopFrame) 
doCreateAlternate = false; 

else { 

// Test if keyuord lookup produced a neu URI or not 
if (newURI) { 

bool sameURI = false; 
url->Equals(newURI , SsameURI); 
if (IsameURI) { 

// Keyuord lookup made a neu URI so no need to try 
// an alternate one. 
doCreateAlternate = false; 

} 

} 

} 

if (doCreateAlternate) { 
newURI = nullptr; 
newPostData = nullptr; 
sURIFixup->CreateFixupURI( oldS pec, 

nsIURIFixup : : FIXUP_FLAGS_MAKE_ALTERNATE_URI, 

getter_AddRef s ( newPostData ) , getter_AddRef s ( newURI ) ) ; 

} 

} 

// Did we make a neu URI that is different to the old one? If so 
// load it. 
if (newURI) { 

// Make sure the new URI is different from the old one, 

// otherwise there's Little point trying to Load it again. 

bool sameURI = false; 

url - > Equals ( newURI , SsameURI); 

if (IsameURI) { 

nsAutoCString newSpec; 

newURI ->GetSpec( newSpec ) ; 

NS_ConvertUTF8toUTF16 newSpecW( newSpec ) ; 

return LoadURI ( newSpecW . get ( ) , 

LOAD_FLAGS_NONE , nullptr, newPostData, nullptr); 

} } 

Listing 3: docshell/base/nsDocShell.cpp 
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D Configuration Setting to Block All Remote 
JAR Files 

From If c4163cf ae73f 7de62c644718204f 644clldb41 Mon Sep 17 00:00:00 2001 
From: Deff Gibat < jgibatgisecpartners . com> 
Date: Wed, 21 May 2014 20:23:32 +0000 

Subject: [PATCH] adding a config preference that allows a user to block all 
remote jar files regardless of content type 



modules/libjar/nsDARChannel . cpp | 6 ++++++ 
modules/libpref /src/init/all . js | 3 +++ 
2 files changed, 9 insertions (+) 



diff --git a/modules/libjar/nsJARChannel . cpp b/modules/libjar/nsDARChannel . cpp 
index 22b483a . .47a212e 100644 

— a /modules/ lib jar/nsJARChannel .cpp 
+++ b/modules/libjar/nsJARChannel .cpp 

@§ -902,6 +902,12 @@ nsJARChannel : : OnDownloadComplete ( nsIDownloader *downloader, 
mContentDisposition = NS_GetContentDispositionFromHeader( 
mContentDispositionHeader, this); 

} 

+ // here we check preferences to see if all remote jar support should be disabled 
+ if ( Preferences :: GetBool (" network . jar . block - remote -files " , true)) { 
+ mlsUnsafe = true; 

+ status = NS_ERROR_UNSAFE_CONTENT_TYPE; 

+ } 
+ 

if (NS_SUCCEEDED(status) && mlsUnsafe && 

[Preferences: :GetBool(" net work. jar. open-unsafe- types", false)) { 

status = NS_ERROR_UNSAFE_CONTENT_TYPE; 
diff --git a/modules/libpref /src/init/all . js b/modules/libpref /src/init/all . js 
index 0a2588d . . 3623e38 100644 

— a/ modules /libpref/src/init/ all. js 
+++ b/ modules /libpref/src/init/ all. js 

(S)@ -1107,6 +1107,9 @@ pref ( "dom . server -events . default - reconnection -time " , 5000); // 
in milliseconds 
// by the jar channel. 

pref ( " network .jar. open-unsafe -types", false); 



+// If true, remote JAR files will not be opened, regardless of content type 

+pref ( " network . jar . block- remote -files " , true) ; 

+ 

// This preference, if true, causes all UTF-8 domain names to be normalized to 
// punycode. The intention is to allow UTF-8 domain names as input, but never 
// generate them from punycode. 
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1.7.9.5 



Listing 4: Sample Patch For Blocking All Remote JAR Files 
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E Enable Assertions Patches 

E.l System Assertions 



diff --git a/db/sqlite3/src/sqlite3 . c b/db/sqlite3/src/sqlite3 . c 
index deef 460 . . C633695 100644 

— a/db/sqlite3/src/sqlite3 . c 
+++ b/db/sqlite3/src/sqlite3 . c 

@@ -8083,7 +8083,7 @@ SQLITE_PRIVATE void sqlite3HashClear ( Hash * ) ; 

#include <stdio.h> 

#include <stdlib.h> 

#include <string.h> 
-#include <assert.h> 
+#include <assert -orig . h> 

#include <stddef.h> 

/* 

diff --git a/media/libnestegg/src/halloc . c b/media/ libnestegg/src/halloc . c 
index 5758f C0 . . 5382c56 100644 

— a/media/libnestegg/src/halloc.c 
+++ b/media/libnestegg/src/halloc.c 
@@ -24,7 +24,7 @@ 

*/ 

typedef struct hblock 
{ 

-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

#define HH_MAGIC 0X20040518L 
long magic; 

#endif 

diff --git a/toolkit/crashreporter/google - breakpad/src/common/dwarf /dwarf 2reader . cc b 

/toolkit /crashreporter/google - breakpad/src/common/dwarf /dwarf 2 reader . cc 
index 7d0b8af . .4076ea8 100644 

— a/toolkit /crash reporter/ google -breakpad/src/ common /dwarf /dwarf 2 reader . cc 
+++ b/toolkit/ crashreporter/google -breakpad/src/ common /dwarf /dwarf 2 reader . cc 
@@ -86,7 +86,7 @@ void CompilationUnit : : ReadAbbrevs ( ) { 

const char* abbrev_start = iter- >second . first + 

header_ . abbrev_of f set ; 
const char* abbrevptr = abbrev_start ; 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

const uint64 abbrev_length = iter->second . second - header_. abbrev_off set; 
#endif 

Listing 5: Sample Patch For Enabling Standard System Assertions From assert. h 
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--- /usr/include/assert-orig.h 2014-05-05 22:17:11.711269515 +0000 
+++ /usr/include/assert.h 2014-05-05 22:08:43.683270829 +0000 
@@ -47 j 7 +47,7 (3(5) 

If NDEBUG is defined, do nothing. 

If not, and EXPRESSION is zero, print an error message and abort. */ 
-#ifdef NDEBUG 

+#ifdef TORJMASSERT /* NDEBUG */ 

# define assert(expr) ( ASSERT_VOID_CAST (0)) 

Listing 6: Sample Patch For Enabling Standard System Assertions From assert. h 
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E.2 nsCOMPtr Assertions 



diff --git a/xpcom/glue/Makef ile . in b/xpcom/glue/Makef ile . in 
index f 41ac6d . . 07242f 8 100644 

— a/xpcom/glue/Makef ile . in 
+++ b/xpcom/glue/Makef ile . in 

(5>@ -33,6 +33,7 @@ SDK_HEADERS = \ 

nsCycleCollectorUtils . h \ 

nsDataHashtable . h \ 

nsDebug.h \ 
+ nsDebugTor.h \ 

nsDeque.h \ 

nsEnumeratorUtils . h \ 

nsHashKeys.h \ 

diff --git a/xpcom/glue/nsCOMPtr . h b/xpcom/glue/nsCOMPtr . h 
index d082928 . . 66ccf 4a 100644 

— a/xpcom/glue/nsCOMPtr . h 
+++ b/xpcom/glue/nsCOMPtr . h 
(5>@ -25,9 +25,9 @(3 

#include "mozilla/NullPtr . h" 

// Wrapping includes can speed up compiles (see "Large Scale C++ Software Design") 

-#ifndef nsDebug_h 

-#include "nsDebug.h" 

— // for | NS_ABORT_IF_FALSE | , | NS_ASSERTION | 
+#ifndef nsDebugTor_h 

+#include "nsDebugTor.h" 

+ // for | TBB_NS_ABORT_IF_FALSE | , | TBB_NS_ASSERTION | 
#endif 

#ifndef nsISupportsUtils_h 

(5)@ -542,7 +542,7 (3(3 class nsCOMPtr MOZ_FINAL 
if ( mRawPtr ) 
{ 

nsCOMPtr<T> query_result ( do_Query Interf ace(mRawPtr) ); 
NS_ASSERTION (query_result . get ( ) == mRawPtr, "Querylnterf ace needed"); 
+ TBB_NS_ASSERTION ( query_result . get ( ) == mRawPtr, "Querylnterf ace needed 



} 



} 



-804,7 +804,7 (3(3 class nsCOMPtr MOZ_FINAL 

// parameters where rhs bay be a T** or an I** where I is a base class 

// Of T. 

{ 

NS_ASSERTION(rhs, "Null pointer passed to forget!"); 
TBB_NS_ASSERTION ( rhs , "Null pointer passed to forget!"); 
NSCAP_LOG_RELEASE (this , mRawPtr ) ; 
*rhs = get(); 
mRawPtr = 0; 
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@@ -836,7 +836,7 @§ class nsCOMPtr M0Z_FINAL 
T* 

operator->() const 
{ 

NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 
with operator ->().") ; 

+ TBB_NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 

with operator ->().") ; 
return get(); 

} 

@@ -860,7 +860,7 @@ class nsCOMPtr M0Z_FINAL 
T& 

operator*() const 
{ 

NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 
with operator *().") ; 

+ TBB_NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 

with operator* ().") ; 
return *get(); 

} 

@@ -1109,7 +1109,7 @§ class nsCOMPtr < nsISupports > 



} 

@@ -1143,7 +1143,7 @@ class nsCOMPtr < nsISupports > 
nsISupports* 
operator->() const 
{ 

NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 
with operator ->().") ; 

+ TBB_NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 

with operator ->().") ; 
return get(); 

} 

@@ -1168,7 +1168,7 @@ class nsCOMPtr < nsISupports > 
nsISupports& 
operator*() const 
{ 

NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 
with operator *().") ; 

+ TBB_NS_ABORT_IF_FALSE (mRawPtr != 0, "You can't dereference a NULL nsCOMPtr 

with operator* ().") ; 



// Useful to avoid unnecessary AddRef /Release pairs with "out 
// parameters. 



{ 



+ 



NS_ASSERTION(rhs, "Null pointer passed to forget!"); 
TBB_NS_ASSERTION ( rhs , "Null pointer passed to forget!"); 
*rhs = 0; 
swap(*rhs) ; 



return *get(); 
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diff --git a/xpcom/glue/nsDebugTor . h b/xpcom/glue/nsDebugTor . h 
new file mode 100644 
index 0000000 .. 343e84e 
— /dev/null 

+++ b/xpcom/glue/nsDebugTor . h 
@@ -0,0 +1,371 §§ 

+ /* _*_ Mode: C++; tab-width: 4; indent -tabs -mode : nil; c - basic -of f set : 2 -*- */ 

+/* This Source Code Form is subject to the terms of the Mozilla Public 

+ * License, v. 2.0. If a copy of the MPL was not distributed with this 

+ * file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

+ 

+#ifndef nsDebugTor_h 

+#define nsDebugTor_h 

+ 

+#ifndef nscore_h 

+#include "nscore.h" 

+#endif 

+ 

+#ifndef nsError_h 

+#include "nsError.h" 

+#endif 

+ 

+#include "nsXPCOM.h" 

+# include "mozilla/Assertions.h" 

+#include "mozilla/ Likely . h" 

+ 

+#ifndef TOR_NASSERT 
+#include "prprf.h" 
+#endif 
+ 

+#ifndef TOR_NASSERT 
+ 

+ * Abort the execution of the program if the expression evaluates to 
+ * false. 
+ * 

+ * There is no status value returned from the macro. 
+ * 

+ * Note that the non-debug version of this macro does <b>not</b> 
+ * evaluate the expression argument. Hence side effect statements 
+ * as arguments to the macro will yield improper execution in a 
+ * non-debug build. For example: 
+ * 

+ * TBB_NS_ABORT_IF_FALSE (0 == foo++, "yikes foo should be zero"); 

+ * 

+ * Note also that the non-debug version of this macro does <b>not</b> 
+ * evaluate the message argument. 
+ */ 

+#define TBB_NS_ABORT_IF_FALSE (_expr, _msg) \ 
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+ do { \ 
+ if (!(_expr)) { \ 
+ NS_DebugBreak( NS_DEBUG_ABORT , _msg, #_expr, FILE , LINE ); \ 

+ } \ 

+ } while(0) 

+ 

+ * Warn if a given condition is false. 
+ * 

+ * Program execution continues past the usage of this macro. 
+ * 

+ * Note also that the non-debug version of this macro does <b>not</b> 
+ * evaluate the message argument. 
+ */ 

+#define TBB_NS_WARN_IF_FALSE (_expr , _msg) \ 

+ do { \ 

+ if (!(_expr)) { \ 

+ NS_DebugBreak( TBB_NS_DEBUG_WARNING , _msg, #_expr, FILE , LINE ) ; \ 

+ } \ 

+ } while(0) 

+ 

+ * Test a precondition for truth. If the expression is not true then 
+ * trigger a program failure. 
+ */ 

+#define TBB_NS_PRECONDITION(expr , str) \ 

+ do { \ 

+ if (!(expr)) { \ 

+ NS_DebugBreak(NS_DEBUG_ASSERTION , str, #expr, FILE , LINE ); \ 

+ } \ 

+ } while(0) 

+ 

+ /** 

+ * Test an assertion for truth. If the expression is not true then 
+ * trigger a program failure. 
+ */ 

+#define TBB_NS_ASSERTION ( expr , str) \ 

+ do { \ 

+ if (!(expr)) { \ 

+ NS_DebugBreak(NS_DEBUG_ASSERTION , str, #expr, FILE , LINE ); \ 

+ } \ 

+ } while(0) 

+ 

+ * Test a post - condition for truth. If the expression is not true then 
+ * trigger a program failure. 
+ */ 

+#define TBB_NS_POSTCONDITION(expr , str) \ 

+ do { \ 

+ if (!(expr)) { \ 

+ NS_DebugBreak(NS_DEBUG_ASSERTION , str, #expr, FILE , LINE ); \ 
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} \ 
+ } while(0) 
+ 

+ * This macros triggers a program failure if executed. It indicates that 
+ * an attempt was made to execute some unimplemented functionality. 

+ */ 

+#define TBB_NS_NOTYETIMPLEMENTED ( str ) \ 

+ NS_DebugBreak(NS_DEBUG_ASSERTION , str, "NotYetlmplemented " , FILE , LINE ) 

+ 

+ * This macros triggers a program failure if executed. It indicates that 
+ * an attempt was made to execute some unimplemented functionality. 
+ */ 

+#define TBB_NS_NOTREACHED ( str) \ 

+ NS_DebugBreak ( NS_DEBUG_ASSERTION , str, "Not Reached", FILE , LINE ) 

+ 

+ * Log an error message. 
+ */ 

+#define TBB_NS_ERROR (str) \ 

+ NS_DebugBreak(NS_DEBUG_ASSERTION , str, "Error", FILE , LINE ) 

+ 

+ * Log a warning message. 
+ */ 

+#define TBB_NS_WARNING (str) \ 

+ NS_DebugBreak(TBB_NS_DEBUG_WARNING, str, nullptr, FILE , LINE ) 

+ 

+ /** 

+ * Trigger an abort 
+ */ 

+#define TBB_NS_ABORT ( ) \ 

+ NS_DebugBreak(NS_DEBUG_ABORT, nullptr, nullptr, FILE , LINE ) 

+ 

+ /** 

+ * Cause a break 
+ */ 

+#define TBB_NS_BREAK ( ) \ 

+ NS_DebugBreak(TBB_NS_DEBUG_BREAK, nullptr, nullptr, FILE , LINE ) 

+ 

+#else /* DEBUG */ 
+ 

+ * The non-debug version of these macros do not evaluate the 
+ * expression or the message arguments to the macro. 
+ */ 

+#define TBB_NS_ABORT_IF_FALSE (_expr, _msg) do { /* nothing */ } while(0) 
+#define TBB_NS_WARN_IF_FALSE (_expr , _msg) do { /* nothing */ } while (0) 
+#define TBB_NS_PRECONDITION(expr, str) do { /* nothing */ } while(0) 

+#define TBB_NS_ASS ERTION ( expr , str) do { /* nothing */ } while(0) 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 54 of 154 



244 


+#def ine 


TBB_ 


_NS_ 


_KUb 1 LUNUI 1 HJN^GXpPj ST P ) 
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/ 


nothing 


/ 


\ 

I 


while (0) 


245 


+#def ine 


TBB_ 


_NS_ 


_NU 1 Yb 1 IMKLbrlbN 1 bU^STP ) 


An 

ao 


r 
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/ 


nothing 




\ 

I 


wh i le ( 0 ) 


246 


+#def ine 


TBB_ 


_NS_ 


NOT RE ACHED ( St r ) 


do 


{ 


/* 


nothing 


*/ 


} 


while (0) 


247 


+#def ine 


TBB_ 


NS 


ERROR(str) 


do 


{ 


/* 


nothing 


*/ 


} 


while (0) 


248 


+#def ine 


TBB. 


.NS. 


_WARNING ( str) 


do 


{ 


/* 


nothing 


*l 


} 


while (0) 


249 


+#def ine 


TBB. 


.NS. 


ABORT ( ) 


do 


{ 


/* 


nothing 


*/ 


} 


while (0) 


250 


+#def ine 


TBB. 


.NS. 


_BREAK ( ) 


do 


{ 


/* 


nothing 


*/ 


} 


while (0) 



+#endif /* TOR_ASSERT */ 
+ 

+** Macros for static assertions. These are used by the sixgill tool. 
+** When the tool is not running these macros are no-ops. 

+ 

+/* Avoid name collision if included with other headers defining annotations. */ 
+#ifndef HAVE_STAT I C_AN NOTATIONS 
+#define HAVE_STAT I C_AN NOTATIONS 
+ 

+#ifdef XGILL_PLUGIN 
+ 

+#define STATIC_PRECONDITION(COND) attribute (( precondition (#COND) ) ) 

+#define STATIC_PRECONDITION_ASSUME (COND) attribute ( ( precondition_assume (#COND) ) 

) 

+#define STATIC_POSTCONDITION(COND) attribute (( postcondition (#COND) ) ) 

+#define STATIC_POSTCONDITION_ASSUME (COND) attribute ( ( postcondition_assume (#COND) 

)) 

+#define STATIC_INVARIANT ( COND ) 
+#def ine STATIC_INVARIANT_ASSUME (COND) 
+ 

+/* Used to make identifiers for assert/assume annotations in a function. */ 
+#define STATIC_PASTE2 (X , Y) X ## Y 
+#define STATIC_PASTE1 (X, Y) STATIC_PASTE2 (X, Y) 
+ 

+#define STATIC_ASSERT(COND) 
+ do { 

attribute ( ( assert_static (#COND) , unused) ) 

int STATIC_PASTEl(assert_static_ J COUNTER ); 

} while(0) 



attribute (( invariant (#COND) ) ) 

attribute ( ( invariant_assume (#COND) ) ) 



+#define STATIC_ASSUME (COND) \ 
+ do { \ 

+ attribute ( ( assume_static (#COND) , unused)) \ 

+ int STATIC_PASTEl(assume_static_ J COUNTER ); \ 

+ } while(0) 
+ 

+#define STATIC_ASSERT_RUNTIME (COND) 
+ do { 

+ attribute ( (assert_static_runtime(#COND) , unused)) 

+ int STATIC_PASTEl(assert_static_runtime_, COUNTER 

+ } while(0) 



\ 
\ 
\ 

); \ 
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+ 

+#else /* XGILL_PLUGIN */ 
+ 

+#define STATIC_PRECONDITION(COND) /* nothing */ 

+#define STATIC_PRECONDITION_ASSUME (COND) /* nothing */ 
+#define STATIC_POSTCONDITION(COND) /* nothing */ 

+#define STATIC_POSTCONDITION_ASSUME (COND) /* nothing */ 
+#define STATIC_INVARIANT ( COND ) /* nothing */ 

+#define STATIC_INVARIANT_ASSUME (COND) /* nothing */ 

+ 

+#define STATIC_ASSERT(COND) do { /* nothing */ } while(0) 

+#define STATIC_ASSUME (COND) do { /* nothing */ } while(0) 

+#define STATIC_ASSERT_RUNTIME (COND) do { /* nothing */ } while(0) 
+ 

+#endif /* XGILL_PLUGIN */ 
+ 

+#define STATIC_SKIP_INFERENCE ST ATI C_IN VARIANT ( skip_inf erence ( ) ) 
+ 

+#endif /* HAVE_STATIC_ANNOTATIONS */ 
+ 

+#ifdef XGILL_PLUGIN 
+ 

+/* Redefine runtime assertion macros to perform static assertions, for both 
+ * debug and release builds. Don't include the original runtime assertions; 
+ * this ensures the tool will consider cases where the assertion fails. */ 
+ 

+#undef TBB_NS_P RE CONDITION 
+#undef TBB_NS_ASSERTION 
+#undef TBB_NS_POSTCONDITION 
+ 

+#define TBB_NS_PRECONDITION(expr , str) STATIC_ASSERT_RUNTIME ( expr ) 
+#define TBB_NS_ASSERTION (expr, str) STATIC_ASSERT_RUNTIME ( expr ) 

+#define TBB_NS_POSTCONDITION(expr , str) STATIC_ASSERT_RUNTIME (expr) 
+ 

+#endif /* XGILL_PLUGIN */ 
+ 

+** Macros for terminating execution when an unrecoverable condition is 
+** reached. These need to be compiled regardless of the DEBUG flag. 

+ 

+ * Terminate execution <i>immediately </i>, and if possible on the current 
+ * platform, in such a way that execution can't be continued by other 
+ * code (e.g., by intercepting a signal). 

+ */ 

+#define TBB_NS_RUNTIMEABORT (msg) \ 

+ NS_DebugBreak(NS_DEBUG_ABORT, msg, nullptr, FILE , LINE ) 

+ 
+ 

+/* Macros for checking the trueness of an expression passed in within an 
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+ * interface implementation. These need to be compiled regardless of the */ 
+/* DEBUG flag 

+ 

+#define TBB_NS_ENSURE_TRUE (x, ret) \ 

+ do { \ 

+ if (MOZ_UNLIKELY( ! (x) ) ) { \ 

+ TBB_NS_WARNING ( "TBB_NS_ENSURE_TRUE ( " #x ") failed"); \ 

+ return ret; \ 

+ } \ 

+ } while(0) 

+ 

+#define TBB_NS_ENSURE_FALSE (x, ret) \ 

+ TBB_NS_ENSURE_TRUE( ! (x) , ret) 

+ 

+#define TBB_NS_ENSURE_TRUE_VOID(x) \ 

+ do { \ 

+ if (MOZ_UNLIKELY( ! (x) ) ) { \ 

+ TBB_NS_WARNING ( "TBB_NS_ENSURE_TRUE ( " #x ") failed"); \ 

+ return; \ 

+ } \ 

+ } while(0) 

+ 

+#define TBB_NS_ENSURE_FALSE_VOID(x) \ 

+ TBB_NS_ENSURE_TRUE_VOID( ! (x)) 

+ 

+** Macros for checking results 
+ 

+#if ! defined (TOR_NASSERT) && ! defined (XPCOM_GLUE_AVOID_NSPR) 
+ 

+#define TBB_NS_ENSURE_SUCCESS_BODY( res , ret) \ 
+ char *msg = PR_smprintf ( "TBB_NS_ENSURE_SUCCESS (%s, %s) failed with " \ 

+ "result 0x%X", #res, #retj rv); \ 

+ TBB_NS_WARNING (msg) ; \ 

+ PR_smprintf_f ree (msg) ; 

+ 

+#define TBB_NS_ENSURE_SUCCESS_BODY_VOID ( res ) \ 
+ char *msg = PR_smprintf ( "TBB_NS_ENSURE_SUCCESS_VOID (%s ) failed with " \ 

+ "result 0x%X"j #res, rv); \ 

+ TBB_NS_WARNING (msg) ; \ 

+ PR_smprintf_f ree (msg) ; 

+ 

+#else 
+ 

+#define TBB_NS_ENSURE_SUCCESS_BODY( res , ret) \ 

+ TBB_NS_WARNING("TBB_NS_ENSURE_SUCCESS(" #res " #ret ") failed"); 

+ 

+#define TBB_NS_ENSURE_SUCCESS_BODY_VOID ( res ) \ 
+ TBB_NS_WARNING("TBB_NS_ENSURE_SUCCESS_VOID(" #res ") failed"); 
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+ 

+#endif 
+ 

+#define TBB_NS_ENSURE_SUCCESS ( res , ret) \ 
+ do { \ 

+ nsresult rv = res; /* Don't evaluate | res | more than once */ \ 

+ if (TBB_NS_FAILED( rv)) { \ 

+ TBB_NS_ENSURE_SUCCESS_BODY(res, ret) \ 

+ return ret; \ 

+ } \ 

+ } while(0) 

+ 

+#define TBB_NS_ENSURE_SUCCESS_VOID( res ) \ 

+ do { \ 

+ nsresult rv = res; \ 

+ if ( TBB_NS_FAI LED ( rv)) { \ 

+ TBB_NS_ENSURE_SUCCESS_BODY_VOID(res) \ 

+ return; \ 

+ } \ 

+ } while(0) 

+ 

+ ** Macros for checking state and arguments upon entering interface boundaries 
+ 

+#define TBB_NS_ENSURE_ARG(arg) \ 

+ TBB_NS_ENSURE_TRUE(arg, TBB_NS_ERROR_INVALID_ARG ) 

+ 

+#define TBB_NS_ENSURE_ARG_POINTER ( arg) \ 

+ TBB_NS_ENSURE_TRUE(arg, TBB_NS_ERROR_INVALID_POINTER) 

+ 

+#define TBB_NS_ENSURE_ARG_MIN ( arg, min) \ 

+ TBB_NS_ENSURE_TRUE ( ( arg ) >= min, TBB_NS_ERROR_INVALID_ARG ) 

+ 

+#define TBB_NS_ENSURE_ARG_MAX( arg, max) \ 

+ TBB_NS_ENSURE_TRUE((arg) <= max, TBB_NS_ERROR_INVALID_ARG ) 

+ 

+#define TBB_NS_ENSURE_ARG_RANGE (arg, min, max) \ 

+ TBB_NS_ENSURE_TRUE ( ( ( arg) >= min) S& ((arg) <= max), TBB_NS_ERROR_INVALID_ARG) 

+ 

+#define TBB_NS_ENSURE_STATE ( state ) \ 

+ TBB_NS_ENSURE_TRUE (state, TBB_NS_ERROR_UN EXPECTED) 

+ 

+#define TBB_NS_ENSURE_NO_AGGREGATION (outer) \ 

+ TBB_NS_ENSURE_FALSE (outer , TBB_NS_ERROR_NO_AGGREGATION ) 

+ 

+#define TBB_NS_ENSURE_PROPER_AGGREGATION (outer , iid) \ 
+ TBB_NS_ENSURE_FALSE (outer &S ! iid . Equals ( TBB_NS_GET_IID( nsISupports )) , 
TBB_NS_ERROR_INVALID_ARG) 

+ 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 58 of 154 



+ 

+#ifdef XPCOM_GLUE 

+ #define TBB_NS_CheckThreadSaf e (owningThread , msg) 
+#else 

+ #define TBB_NS_CheckThreadSaf e (owningThread , msg) \ 

+ MOZ_ASSERT(owningThread == PR_GetCurrentThread ( ) , msg) 

+#endif 

+ 

+/* When compiling the XPCOM Glue on Windows, we pretend that it's going to 
+ * be linked with a static CRT (-MT) even when it's not. This means that we 
+ * cannot link to data exports from the CRT, only function exports. So, 
+ * instead of referencing "stderr" directly, use fdopen. 
+ */ 

+#ifdef cplusplus 

+extern "C" { 

+#endif 

+ 

+NS_COM_GLUE void 

+printf_stderr( const char *fmt, ...); 
+ 

+#ifdef cplusplus 

+ } 

+#endif 
+ 

+#endif /* nsDebugTor_h */ 



Listing 7: Sample Patch For Enabling Assertions In nsCOMPtr 
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E.3 JavaScript Engine Assertions 



diff --git a/js/public/HashTable.h b/ js/public/HashTable . h 
index b9b7ef 8 . . e44b5362 100644 
— a/js/public/HashTable.h 
+++ b/ js/public/HashTable . h 
@@ -10,7 +18,7 (3(5) 

#include "mozilla/Assertions.h" 

#include " mo zilla/ At tributes. h" 

#include "mozilla/Casting . h" 
-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "mozilla/PodOperations.h" 

#include "mo zilla/ TypeTraits.h" 

#include "mozilla/Util . h " 
@@ -717,7 +717,7 @@ class HashTable : private AllocPolicy 
{ 

friend class HashTable; 
HashNumber keyHash; 

mozilla : : Debug0nly<uint64_t > mutationCount; 
+ mozilla :: DebugOnlyTor< uint64_t > mutationCount; 

AddPtr(Entry Sentry, HashNumber hn) : Ptr(entry), keyHash(hn) {} 
public : 

@@ -740,7 +740,7 (a)(5) class HashTable : private AllocPolicy 
} 

Entry *cur, *end; 

mozilla :: DebugOnly< bool > validEntry; 
+ mozilla :: DebugOnlyTor<bool> validEntry; 

public : 

Range() : cur(NULL), end(NULL), validEntry (false) {} 
§§ -877,8 +877,8 §§ class HashTable : private AllocPolicy 
#endif 

friend class js : : ReentrancyGuard; 

mutable mozilla :: DebugOnly<bool> entered; 

mozilla :: Debug0nly<uint64_t> mutationCount; 
+ mutable mozilla :: DebugOnlyTor<bool > entered; 
+ mozilla :: Debug0nlyTor<uint64_t > mutationCount; 

// The default initial capacity is 32 (enough to hold 16 elements), but it 

// can be as low as 4. 
diff --git a/js/public/Utility .h b/ js/public/Utility . h 
index 7582673 .. ba997fb 100644 
--- a/js/public/Utility.h 
+++ b/ js/public/Utility . h 
@@ -7,7 +7,7 @(5) 
#ifndef js_Utility_h 
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#define js_Utility_h 



-#include "mozilla/Assertions.h" 
+# include " mozilla/ Assert ions To r . h" 
#include "mozilla/ At tributes. h" 
#include "mozilla/Compiler . h" 
#include "mozilla/Scoped . h" 
§§ -39,11 +39,11 @@ namespace js {} 
*/ 

#define JS FREE PATTERN 0xDA 



-#def ine 


JS_ 


_ASSERT(expr) 


-#def ine 


3S_ 


_ASSERT_IF(cond, expr) 


-#def ine 


JS_ 


_N0T_REACHED( reason) 


-#def ine 


3S_ 


_ALWAYS_TRUE ( expr) 


-#def ine 


3S_ 


_ALWAYS_FALSE ( expr ) 


+#def ine 


3S_ 


ASSERT(expr) 


+#def ine 


JS_ 


_ASSERT_IF(cond, expr) 


+#def ine 


3S. 


_N0T_RE ACHED ( reason ) 


+#def ine 


JS_ 


_ALWAYS_TRUE (expr) 


+#def ine 


3S. 


_ALWAYS_FALSE ( expr ) 



MOZ_ASSERT(expr) 
MOZ_ASSERT_IF(cond, expr) 
M0Z_N0T_REACHED( reason ) 
MOZ_ALWAYS_TRUE(expr) 
MOZ_ALWAYS_FALSE (expr) 
TBB_MOZ_ASSERT(expr) 
TBB_MOZ_ASSERT_IF(cond , expr) 
TBB_M0Z_N0T_REACHED( reason) 
TBB_MOZ_ALWAYS_TRUE (expr) 
TBB_MOZ_ALWAYS_FALSE (expr) 



#ifdef DEBUG 
# ifdef 3S_THREADSAFE 
@§ -56,15 +56,15 @§ namespace js {} 
#endif 



#if defined(DEBUG) 
-# define JS_DIAGNOSTICS_ASSERT(expr) MOZ_ASSERT(expr) 
+# define DS_DIAGNOSTICS_ASSERT(expr) TBB_MOZ_ASSERT( expr ) 

#elif defined (DS_CRASH_DIAGNOSTICS) 
-# define 3S_DIAGN0STICS_ASSERT(expr) do { if (!(expr)) M0Z_CRASH(); } while(0) 
+# define JS_DIAGNOSTICS_ASSERT(expr) do { if (!(expr)) TBB_MOZ_CRASH ( ) ; } while(B) 

#else 

# define DS_DIAGNOSTICS_ASSERT(expr) ((void) 0) 
#endif 



-#define JS_STATIC_ASSERT( cond ) MOZ_STATIC_ASSERT(cond , " 3S_STATIC_ASSERT" ) 

-#define DS_STATIC_ASSERT_IF ( cond , expr) MOZ_STATIC_ASSERT_IF ( cond , expr, " 

DS_STATIC_ASSERT_IF") 
+#define JS_STATIC_ASSERT( cond ) TBB_MOZ_STATIC_ASSERT( cond , " 

1S_STATIC_ASSERT") 

+#define 3S_STATIC_ASSERT_IF ( cond , expr) TBB_MOZ_STATIC_ASSERT_IF ( cond , expr, " 
]S_STATIC_ASSERT_IF") 



extern M0Z_N0RETURN DS_PUBLIC_API ( void ) 

JS_Assert ( const char *s, const char *file, int In); 

diff --git a/ js/public/Vector . h b/ js/public/Vector . h 

index 8982ad3 . . 71a3372 100644 

— a/ js/public/Vector . h 

+++ b/ js/public/Vector . h 
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@@ -251,13 +251,13 @@ class Vector : private AllocPolicy 
T *mBegin; 

size_t mLength; /* Number of elements in the Vector. */ 

size_t mCapacity; /* Max number of elements storable in the Vector without 
resizing. */ 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

size_t mReserved; /* Max elements of reserved or used space in this vector. 
#endif 

mozilla : : AlignedStorage < slnlineBytes > storage; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

friend class ReentrancyGuard ; 

bool entered; 
#endif 

§§ -287,7 +287,7 @@ class Vector : private AllocPolicy 
return mBegin + mLength; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

size_t reserved() const { 

3S_ASSERT(mReserved <= mCapacity); 
DS_ASSERT(mLength <= mReserved); 
§@ -530,7 +530,7 @@ DS_ALWAYS_INLINE 
Vector<T,N, AllocPolicy > : : Vector (AllocPolicy ap) 

: AllocPolicy (ap) , mBegin((T *) storage . addr( )) , mLength(0), 
mCapacity(sInlineCapacity) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

, mReserved ( slnlineCapacity ) , entered (false ) 
#endif 
{} 

@@ -540,13 +540,13 @§ template <class T, size_t N, class AllocPolicy> 
DS_ALWAYS_INLINE 

Vector<T, N, AllocPolicy >:: Vector (MoveRef <Vector> rhs) 

: AllocPolicy ( rhs ) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
, entered ( false ) 
#endif 
{ 

mLength = rhs - >mLength ; 

mCapacity = rhs - >mCapacity ; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

mReserved = rhs - >mReserved ; 
#endif 
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@@ -567,7 +567,7 @@ Vector<T, N, AllocPolicy >:: Vector (MoveRef <Vector > rhs) 

rhs->mBegin = (T *) rhs - >storage . addr () ; 

rhs - >mCapacity = slnlineCapacity; 

rhs - >mLength = 0; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

rhs - >mReserved = slnlineCapacity; 

#endif 
} 

@@ -714,7 +714,7 (3(3 Vector<T,N,AP>: : initCapacity ( size_t request) 
return false; 
mBegin = newbuf; 
mCapacity = request; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

mReserved = request; 
#endif 

return true; 

@(3 -728,7 +728,7 (3(3 Vector<T, N, AP >:: reserve ( size_t request) 

if (request > mCapacity && ! growStorageBy ( request - mLength)) 
return false; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

if (request > mReserved) 
mReserved = request; 
DS_ASSERT(ml_ength <= mReserved); 
(3(3 -761,7 +761,7 (3(3 Vector<T, N, AP> : : growBylmpl ( size_t incr) 
if ( InitNewElems ) 

Impl: :initialize(endNoCheck(), newend ) ; 
mLength += incr; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

if (mLength > mReserved) 
mReserved = mLength; 

#endif 

(3(3 -826,7 +826,7 @@ Vector <T, N, AP >:: c learAnd F ree ( ) 
this->free_(beginNoCheck()); 
mBegin = (T *) storage . addr () ; 
mCapacity = slnlineCapacity; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

mReserved = slnlineCapacity; 
#endif 
} 

@@ -847,7 +847,7 @@ Vector <T, N, AP >:: append ( U t) 

if (mLength == mCapacity && ! growStorageBy (1) ) 
return false; 

-#ifdef DEBUG 
+#ifndef TOR NASSERT 
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if (mLength + 1 > mReserved) 
mReserved = mLength + 1; 

#endif 

§§ -874,7 +874,7 @@ Vector<T, N, AP >:: appendN ( const T &t, size_t needed) 
if (mLength + needed > mCapacity && ! growStorageBy ( needed ) ) 
return false; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

if (mLength + needed > mReserved) 
mReserved = mLength + needed; 

#endif 

§§ -936,7 +936,7 @@ Vector<T, N, AP >:: append ( const U *insBegin, const U *insEnd) 
if (mLength + needed > mCapacity && ! growStorageBy ( needed ) ) 
return false; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

if (mLength + needed > mReserved) 
mReserved = mLength + needed; 

#endif 

§§ -1016,7 +1016,7 @@ Vector<T,N,AP>: : extractRawBuf f er ( ) 
mBegin = (T *) storage . addr () ; 
mLength = 0; 

mCapacity = slnlineCapacity ; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

mReserved = slnlineCapacity; 

#endif 
} 

@@ -1052,7 +1052,7 @@ Vector<T,N,AP>: : replaceRawBuffer(T *p, size_t aLength) 
mLength = aLength; 
mCapacity = aLength; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

mReserved = aLength; 

#endif 

} 

(5>@ -1093,7 +1093,7 @@ Vector<T,N,AP>: :swap( Vector Sother) 

Swap (mLength , other . mLength ) ; 
Swap ( mCapacity , other. mCapacity); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

Swap (mReserved , other. mReserved); 
#endif 
} 

diff --git a/ js/src/assembler/assembler/ LinkBuf f er . h b/ js/src/assembler/assembler/ 

LinkBuf f er . h 
index 8891232 .. fl76dcb 100644 
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— a/js/src/assembler/assembler/LinkBuffer.h 
+++ b/js/src/assembler/assembler/LinkBuffer.h 
@@ -70,7 +78,7 @@ public: 

m_code = executableAllocAndCopy (*masiii, executableAllocator , poolp); 

m_executablePool = *poolp; 

m_size = masm - >m_assembler . size ( ) ; // must come after call to 
executableAllocAndCopy ( ) ! 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

m_completed = false; 

#endif 

*ok = ! ! m_code; 
§§ -SI, 7 +81,7 @@ public: 

, m_code(NULL) 

, m_size(0) 

, m_codeKind ( kind ) 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

, m_completed (false ) 

#endif 
{ 

§@ -92,7 +92,7 @@ public: 

, m_code ( ncode ) 

, m_size(size) 

, m_codeKind ( kind ) 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

, incompleted (false ) 

#endif 
{ 

@@ -208,7 +208,7 @@ protected: 

void perf ormFinalization ( ) 
{ 

-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

ASSERT ( ! incompleted ) ; 

m_completed = true; 

#endif 

@@ -221,7 +221,7 §§ protected: 

void* m_code; 

size_t m_size; 

CodeKind m_codeKind; 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

bool m_completed; 
#endif 

}; 

diff --git a/ js/src/assembler/assembler/HacroAssemblerX86Common . h b/ js/src/assembler/ 

assembler/MacroAssemblerX86Common . h 
index 8781642 .. 7f7a291 100644 
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— a/js/src /assembler/ as sembler/MacroAssemblerX86Common . h 
+++ b/js/src /assembler/assembler/Mac roAssemblerX86Common . h 
@@ -1449,7 +1449,7 @@ private: 



#endif // P LATFORM ( MAC ) 
-#elif !defined(NDEBUG) // CPU(X86) 
+#elif !defined(TOR_NASSERT) // CPU(X86) 

// On X86-64 we should never be checking for SSE2 in a non-debug build, 
// but non debug add this method to keep the asserts above happy. 

diff --git a/ js/src/assembler/assembler/HacroAssemblerX86_64 . h b/ js/src/assembler/ 
assembler/MacroAssemblerX86_64 . h 

index c76b6ad . .459b49a 100644 

— a/ js/src/assembler/assembler/MacroAssemblerX86_64 . h 
+++ b/js/src /assembler/assembler/Mac roAssemblerX86_64 . h 
@@ -30,7 +30,7 @@ 

#if ndef assembler_assembler_MacroAssemblerX86_64_h 

#def ine assembler_assembler_MacroAssemblerX86_64_h 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "assembler/wtf/Platform.h" 

@@ -126,7 +126,7 @@ public: 

Call call() 
{ 

mozilla : : DebugOnly<DataLabelPtr> label = moveWithPatch ( ImmPtr (0) , 
scratchRegister); 

+ mozilla :: DebugOnlyTor<DataLabelPtr> label = moveWithPatch ( ImmPtr (0) , 

scratchRegister); 

Call result = Call (m_assembler . call ( scratchRegister) , Call :: Linkable ) ; 
ASSERT(differenceBetween(label, result) == REPTACH_0FFSET_CALL_R11 ) ; 
return result; 
§@ -134,7 +134,7 (3(5) public: 

Call tailRecursiveCall ( ) 
{ 

mozilla : : DebugOnly <DataLabelPtr > label = moveWithPatch ( ImmPtr (0) , 
scratchRegister); 

+ mozilla :: DebugOnlyTor<DataLabelPtr> label = moveWithPatch ( ImmPtr (0) , 

scratchRegister); 

Dump newDump = Jump (m_assembler . jmp_r ( scratchRegister )) ; 
ASSERT(differenceBetween(label, newDump) == REPTACH_0FFSET_CALL_R11) ; 
return Call:: fromTailDump( newDump) ; 
§§ -143,7 +143,7 @@ public: 

Call makeTailRecursiveCall ( Dump oldDump) 
{ 

oldDump. link(this); 
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mozilla : : DebugOnly<DataLabelPtr> label = moveWithPatch ( ImmPtr (0) , 
scratchRegister); 

+ mozilla :: DebugOnlyTor <DataLabelPtr > label = moveWithPatch ( ImmPtr (0) , 

scratchRegister); 

Dump newJump = Dump (m_assembler . jmp_r ( sc ratchRegister ) ) ; 

ASSERT(differenceBetween(label , newDump) == REPTACH_0FFSET_CALL_R11) ; 

return Call:: f romTail3ump(newDump) ; 
diff --git a/ js/src/assembler/wtf /Assertions . h b/js/src/assembler/wtf /Assertions . h 
index eb0744e .. df 4948b 100644 

— a/ js/src/ ass em bier/ wtf/ Assert ions. h 
+++ b/ js/src/ ass em bier/ wtf/ Assert ions. h 
(5>@ -27 j 9 +27,9 @@ 

#def ine assembler_wtf _Assert ions_h 

#include "Platform. h" 
-#include "mozilla/Assertions.h" 
+# include " mo zilla/ Assert ions To r.h" 

-#ifndef DEBUG 
+#ifdef TOR_NASSERT 
/* 

* Prevent unused -variable warnings by defining the macro WTF uses to test 

* for assertions taking effect. 
§§ -37,13 +37,13 @@ 

# define ASSERT_DISABLED 1 
#endif 

-#define ASSERT ( assertion ) MOZ_ASSERT( assertion ) 
+#define ASSERT ( assertion ) TBB_HOZ_ASSERT( assertion ) 
#define ASSERT_UNUSED ( variable, assertion) do { \ 
(void) variable; \ 
ASSERT(assertion); \ 
} while (0) 

-#define ASS ERT_NOT_RE ACHED ( ) MOZ_NOT_REACHED ( " " ) 
-#define CRASH () MOZ_CRASH() 

-#define COMPILE_ASSERT(exp, name) MOZ_STATIC_ASSERT(exp, #name) 
+#define ASS ERT_NOT_RE ACHED ( ) TBB_MOZ_NOT_REACHED ( " " ) 
+#define CRASH () TBB_MOZ_CRASH ( ) 

+#define COMPILE_ASSERT(exp, name) TBB_MOZ_STATIC_ASSERT(exp, #name) 

#endif /* assembler_wtf_Assertions_h */ 
diff --git a/ js/src/ctypes/CTypes . h b/ js/src/ctypes/CTypes . h 
index 39a00ee . . 89f ce64 100644 

— a/ js/src/ctypes/CTypes . h 
+++ b/ js/src/ctypes/CTypes . h 
@@ -6,7 +6,7 @@ 

#ifndef ctypes_CTypes_h 
#define ctypes_CTypes_h 

-#include "mozilla/Assertions.h" 
+# include "mozilla/AssertionsTor.h" 
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#include "mozilla/TypeTraits.h" 

#include "jscntxt.h" 
(5>@ -60,7 +60,7 @§ private: 
template<class T, size_t N = 0> 

class Array : public Vector<T, N, SystemAllocPolicy > 
{ 

— MOZ_STATIC_ASSERT((!mozilla: :IsSame<T, JS :: Value >:: value ) , 

+ TBB_MOZ_STATIC_ASSERT(( ! mozilla : :IsSame<T, JS : : Value >: : value), 
"use US : : AutoValueVector instead"); 

}; 

diff --git a/js/src/ds/LifoAlloc .h b/ js/src/ds/Lif oAlloc . h 
index 3e663e4 . . 8258d9d 100644 

— a/js/src/ds/LifoAlloc . h 
+++ b/js/src/ds/LifoAlloc . h 
@@ -7,7 +7,7 @@ 

#ifndef ds_Lif oAlloc_h 
#define ds_Lif oAlloc_h 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include " mo zilla/ Memo ryChec king. h" 
#include "mozilla/PodOperations.h" 
#include "mo zilla/ TypeTraits.h" 
§§ -261,7 +261,7 @@ class LifoAlloc 

if (latest && (result = latest - >tryAlloc (n )) ) 
return result; 

mozilla : : DebugOnly <BumpChunk *> chunk = getOrCreateChunk ( n ) ; 
+ mozilla :: DebugOnlyTor< BumpChunk *> chunk = getOrCreateChunk ( n ) ; 

JS_ASSERT(chunk); 

return latest ->allocInfallible(n); 
diff --git a/ js/src/f rontend/BytecodeEmitter . cpp b/ js/src/f rontend/BytecodeEmitter . 
cpp 

index bf 8d240 . . If 3bl0c 100644 

— a/ js/src/f rontend/BytecodeEmitter. cpp 
+++ b/ js/src/f rontend/BytecodeEmitter . cpp 
@@ -10,7 +10,7 (3(5) 

#include "f rontend/BytecodeEmitter-inl . h" 

-#include " mo zilla /DebugOnly. h" 
+#include "mozilla /DebugOnly Tor . h" 

#include "mozilla/ Floatingpoint. h" 

#include "mozilla/PodOperations.h" 

@@ -43,7 +43,7 @(5) using namespace js; 
using namespace js::gc; 
using namespace js : : f rontend; 
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-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

using mozilla :: DoubleIsInt32; 

using mozilla :: PodCopy; 

@@ -1389,7 +1389,7 @(5) BindNameToSlotHelper ( DSContext *cx, BytecodeEmitter *bce, 
ParseNode *pn) 

if (dn - >pn_cookie . level ( ) != bee- >script -> static Level ) 
return true; 

DebugOnly< JSFunction *> fun = bee - >sc - >asFunctionBox ()- >f unction () ; 
+ DebugOnlyTor< JSFunction *> fun = bee - >sc - >asFunctionBox ()- >f unction () ; 

JS_ASSERT( fun -> is Lambda () ); 
DS_ASSERT(pn->pn_atom == f un - >atom ( ) ) ; 

(5)(5) -2841,7 +2841,7 @@ EmitDestructuringOpsHelper ( DSContext *cx, BytecodeEmitter *bce, 
ParseNode *pn, 
ParseNode *pn2, *pn3; 
bool doElemOp; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

int stackDepth = bee - >stackDepth ; 

DS_ASSERT(stackDepth != 0); 

DS_ASSERT( pn ->isArity(PN_LIST)); 
@@ -4065,7 +4065,7 @@ EmitLet ( DSContext *cx, BytecodeEmitter *bce, ParseNode *pnLet) 

StmtlnfoBCE stmtlnf o ( cx) ; 

PushBlockScopeBCE(bce, Sstmtlnfo, *blockObj, bee - >of f set ( ) ) ; 

DebugOnly < ptrdiff_t > bodyBegin = bee - >of f set ( ) ; 
+ DebugOnlyTor<ptrdif f_t > bodyBegin = bee - >of f set ( ) ; 

if ( ! EmitEnterBlock(cx, bee, letBody, DSOP_ENTERLET0 ) ) 
return false; 

(5>@ -4076,7 +4076,7 §§ EmitLet ( DSContext *cx, BytecodeEmitter *bce, ParseNode *pnLet) 
DS_ASSERT(leaveOp == 3S0P_LEAVEBL0CK || leaveOp == ]SOP_LEAVEBLOCKEXPR ) ; 
EHIT_UINT16_IMM_0P(leave0p, blockObj - >slotCount ( ) ) ; 

DebugOnly<ptrdiff_t> bodyEnd = bee - >of f set ( ) ; 
+ DebugOnlyTor <ptrdiff_t > bodyEnd = bee - >of f set ( ) ; 
DS_ASSERT( bodyEnd > bodyBegin); 

return PopStatementBCE (cx, bee); 
@@ -4223,7 +4223,7 @@ Emit Forln ( DSContext *cx, BytecodeEmitter *bce, ParseNode *pn, 
ptrdiff_t top) 
if (EmitLoopHead(cx, bee, NULL) < 0) 
return false; 

-#ifdef DEBUG 
+#ifndef TOR NASSERT 
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int loopDepth = bee - >stackDepth ; 
#endif 

diff --git a/ js/sre/f rontend/TokenStream . epp b/ js/sre/f rontend/TokenStream . epp 
index 02da46f . . b2aada3 100644 

— a/ js/sre/f rontend/TokenStream. epp 
+++ b/js/sre/frontend/ TokenStream. epp 

§§ -918,7 +918,7 @@ TokenStream : : atomize( JSContext *cx, CharBuffer Scb) 
return AtomizeChars<CanGC>(cx, cb.begin(), cb . length ()) ; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool 

IsTokenSane(Token *tp) 
{ 

diff --git a/ js/sre/f rontend/TokenStream . h b/js/sre/f rontend/TokenStream . h 
index 48f dec3 . . f 279ef f 2 100644 

— a/js/src/frontend/TokenStream.h 
+++ b/js/src/frontend/TokenStream.h 
@@ -11,7 +11,7 @@ 

* JS lexical scanner interface. 
*/ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/PodOperations.h" 

#include <stddef.h> 
@@ -883,7 +883,7 @@ class MOZ_STACK_CLASS TokenStream 
} 

void consumeKnownChar ( int32_t expect) { 

mozilla : : DebugOnly<int32_t > c = getChar(); 
+ mozilla :: DebugOnlyTor< int32_t > c = getCharQ; 

3S_ASSERT(c == expect); 

} 

diff --git a/ js/src/gc/Heap . h b/ js/src/gc/Heap . h 
index 4f 04ace . . 7d571c3 100644 

— a/ js/src/gc/Heap . h 
+++ b/j s/src/gc/Heap . h 

@@ -100,7 +100,7 @@ struct Cell 

inline DSRuntime *runtime() const; 
inline Zone *tenuredZone ( ) const; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

inline bool isAligned() const; 

inline bool isTenured() const; 
#endif 
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@@ -994,7 +994,7 @@ Cell : : tenuredZone ( ) const 
return arenaHeader ( ) ->zone; 

} 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 
bool 

Cell : : isAligned ( ) const 
{ 

diff --git a/ js/src/gc/Marking . cpp b/ js/src/gc/Marking . cpp 
index 47a7f ca . . df 55bl7 100644 
— a/js/src/gc/Marking . cpp 
+++ b/j s/src/gc/Marking . cpp 
@@ -6,7 +6,7 @@ 

#include "gc/Marking . h" 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include " jit/IonCode . h" 
#include "vm/Shape . h" 
@@ -20,7 +20,7 (3(5) 
using namespace js; 
using namespace js::gc; 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

void * const js : : NullPtr : : constNullValue = NULL; 

@@ -126,7 +126,7 @@ CheckHarkedThing(DSTracer *trc, T *thing) 
DS_ASSERT(thing->zone() ->rt == trc - >runtime ) ; 
DS_ASSERT(trc->debugPrinter || trc - >debugPrintArg) ; 

DebugOnly< JSRuntime *> rt = trc -> runtime; 
+ DebugOnlyTor< JSRuntime *> rt = trc - >runtime ; 

DS_ASSERT_IF ( IS_GC_MARKING_TRACER (trc ) &S rt - >gcManipulatingDeadZones , 
! thing- >zone()->scheduledForDestruction); 
@@ -378,7 +378,7 @@ gc : : MarkKind ( DSTracer *trc, void **thingp, DSGCTraceKind kind) 
{ 

]S_ASSERT(thingp); 
DS_ASSERT(*thingp); 

DebugOnly<Cell *> cell = static_cast <Cell *>(*thingp); 
+ DebugOnlyTor <Cell *> cell = static_cast<Cell *>(*thingp); 

DS_ASSERT_IF(cell->isTenured(), kind == MapAllocToTraceKind ( cell - > 

tenur edGet Alloc Kind() )) ; 
switch (kind) { 

case 3STRACE_OB3ECT: 
diff --git a/ js/src/gc/RootMarking . cpp b/js/src/gc/RootMarking . cpp 
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index 861c2d6 . . adll6b4 100644 

— a/ js/src/gc/RootMarking . cpp 
+++ b/js/src/gc/RootMarking . cpp 
@@ -4,7 +4,7 §§ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-ttinclude "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/Util . h " 

#include "jsapi.h" 
@@ -476,7 +476,7 @@ AutoGCRooter : : t race ( DSTracer *trc) 
case OBJOBJHASHMAP: { 

AutoObjectOb jectHashMap : : HashMapImpl &map = static_cast< 

AutoObjectOb jectHashMap *>(this)->map; 
for (AutoObjectOb jectHashMap :: Enum e(map); !e.empty(); e . popFront ( ) ) { 
mozilla :: DebugOnlyOSObject *> key = e . front (). key ; 
+ mozilla : : DebugOnlyTor< JSObject *> key = e . front (). key ; 

MarkObjectRoot(trc, const_cast < DSOb ject **> (Se . front (). key ) , " 

AutoObjectOb jectHashMap key"); 
3S_ASSERT(key == e . front (). key ) ; // Needs rewriting for moving GC, see 
bug 726687. 

MarkOb jectRoot (trc , Se . front (). value , "AutoOb jectObjectHashMap value"); 
@@ -488,7 +488,7 @@ AutoGCRooter :: t race ( DSTracer *trc) 

AutoObjectUnsigned32HashMap *self = static_cast <AutoOb jectUnsigned32HashMap 
*>(this); 

AutoObjectUnsigned32HashMap :: HashMapImpl Smap = self->map; 
for ( AutoObjectUnsigned32HashMap : : Enum e(map); !e.empty(); e . popFront () ) { 
mozilla :: DebugOnlyOSObject *> key = e . front (). key ; 
+ mozilla :: DebugOnlyTor< JSObject *> key = e . front (). key ; 

MarkObjectRoot(trc, const_cast<3S0bject **> (Se . front (). key ) , " 

AutoObjectUnsignedHashMap key"); 
JS_ASSERT(key == e . front (). key ) ; // Needs rewriting for moving GC, see 
bug 726687. 

} 

@@ -499,7 +499,7 @@ AutoGCRooter :: trace ( DSTracer *trc) 

AutoObjectHashSet *self = static_cast <AutoOb jectHashSet *>(this); 
AutoOb jectHashSet :: HashSetlmpl Sset = self->set; 
for (AutoOb jectHashSet :: Enum e(set); !e.empty(); e . popFront () ) { 
mozilla :: DebugOnlyOSObject *> obj = e.front(); 
+ mozilla :: DebugOnlyTor<]SObject *> obj = e.front(); 

MarkObjectRoot(trc, const_cast<DSObject **> (Se . front ()) , " 

AutoObjectHashSet value"); 
DS_ASSERT(obj == e.front()); // Needs rewriting for moving GC, see bug 
726687. 

} 

diff --git a/ js/src/ jit/AsmDS . cpp b/ js/src/ jit/AsmDS . cpp 
index d05289e . . a42c81f 100644 

— a/ js/src/ jit/AsmDS . cpp 
+++ b/ js/src/ jit/AsmJS . cpp 
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@@ -1089,7 +1089,7 @@ class MOZ_STACK_CLASS ModuleCompiler 

TokenStream S tokenStream_; 

DebugOnly<int> currentPass_; 
+ DebugOnlyTor<int> currentPass_; 

bool addStandardLibraryMathName ( const char *name, AsmJSMathBuiltin builtin) { 
DSAtom *atom = Atomize(cx_, name, strlen ( name ) ) ; 
diff --git a/ js/src/ j it/Backt rackingAllocator . cpp b/ js/src/ jit/BacktrackingAllocator . 
cpp 

index 55dbdf b . . 61b2324 100644 

— a/ js/src/j it /BacktrackingAllocator. cpp 
+++ b/ js/src/j it/Backt rackingAllocator. cpp 
@@ -9,7 +9,7 (3(5) 

using namespace js; 
using namespace js::jitj 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

bool 

BacktrackingAllocator : :init() 
@(5) -1117,7 +1117,7 @(5) BacktrackingAllocator :: populateSaf epoints ( ) 

// is not used with gcthings or nunboxes, or we would have to add the 

input reg 
// to this safepoint. 

if (ins == reg->ins() && ! reg - >isTemp ( ) ) { 

DebugOnly < LDefinition* > def = reg->def(); 
+ DebugOnlyTor< LDef inition*> def = reg->def(); 

DS_ASSERT_IF(def->policy() == LDef inition : : MUST_REUSE_INPUT , 

def->type() == LDef inition :: GENERAL || def->type() == 
LDefinition: : DOUBLE ) ; 

continue ; 

diff --git a/ js/src/ jit/BaselineIC . cpp b/ js/src/ jit/BaselineIC . cpp 
index 9652169 .. 150dc3c 100644 

— a/ js/src/ jit/BaselineIC . cpp 
+++ b/ js/src/ jit/BaselineIC . cpp 
@@ -601,7 +601,7 @@ void 

ICStubCompiler : : enterStubFrame(MacroAssembler &masm, Register scratch) 
{ 

EmitEnterStubFrame(masm, scratch); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

entersStubFrame_ = true; 
#endif 
} 

(a)(5) -992,7 +992,7 (a)(5) DoProf ilerFallbac k ( DSContext *cx, BaselineFrame *frame, 
ICProf iler_Fallback *stu 

{ 

RootedScript script(cx, f rame - >script ( ) ) ; 
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RootedFunction func(cx, f rame - >maybeFun ( ) ) ; 
mozilla : : DebugOnly<ICEntry *> icEntry = stub - > icEnt ry ( ) ; 
+ mozilla :: DebugOnlyTor<ICEntry *> icEntry = stub - >icEntry ( ) ; 

FallbackICSpew(cx, stub, "Profiler"); 

§§ -4910,7 +4910,7 @@ DoGetNameFallbackpSContext *cx, BaselineFrame *frame, 
ICGetName_Fallback *stub, 

{ 

RootedScript script(cx, f rame - >script ( ) ) ; 
jsbytecode *pc = stub - >icEntry ()- >pc ( script ) ; 
mozilla :: Debug0nly<JS0p> op = JSOp(*pc); 
+ mozilla :: Debug0nlyTor<3S0p> op = JSOp(*pc); 

FallbackICSpew(cx, stub, "GetName (%s ) " , js_CodeName[ JSOp(*pc) ] ) ; 

DS_ASSERT(op == DSOP_NAME | | op == JSOP_CALLNAME | | op == DSOP_GETGNAME | | op 
3S0P_CALLGNAME); 

@(5) -5043,7 +5043,7 @@ DoBindNameFallback ( 1 SContext *cx, BaselineFrame *frame, 
ICBindName_Fallback *stu 

HandleObject scopeChain, MutableHandleValue res) 

{ 

jsbytecode *pc = stub - >icEntry ()- >pc (frame - >script ()) ; 
mozilla :: DebugOnly<JSOp> op = JSOp(*pc); 
+ mozilla :: DebugOnlyTor<JSOp> op = DSOp(*pc); 

FallbackICSpew(cx, stub, " BindName (%s ) " , j s_CodeName [ DSOp ( *pc ) ] ) ; 

JS_ASSERT(op == DSOP_BINDNAME); 
@(5) -5087,7 +5087,7 @@ DoGet Int rinsicFallbac k ( DSContext *cx, BaselineFrame *frame, 
ICGetIntrinsic_Fallb 

{ 

RootedScript script(cx, f rame - >script ( ) ) ; 
jsbytecode *pc = stub - >icEntry ()- >pc ( script ) ; 
mozilla :: Debug0nly<JS0p> op = JSOp(*pc); 
+ mozilla :: DebugOnlyTor<DSOp> op = 3S0p(*pc); 

FallbackICSpew(cx, stub, "Getlntrinsic (%s ) " , js_CodeName [ DSOp (*pc ) ] ) ; 

DS_ASSERT(op == DSOP_GETINTRINSIC || op == 3S0P_CAL LINTRINSIC ) ; 
diff --git a/ js/src/ j it/BaselineIC . h b/ js/src/ jit/BaselineIC . h 
index 63da318 . . 2dl3e75 100644 
— a/ js/src/ jit/BaselineIC . h 
+++ b/ js/src/ jit/BaselineIC . h 
@@ -980,7 +980,7 @@ class ICStubCompiler 

// Prevent GC in the middle of stub compilation. 

js: :gc: :AutoSuppressGC suppressGC; 

mozilla :: DebugOnly<bool> entersStubFrame_; 
+ mozilla :: DebugOnlyTor<bool> entersStubFrame_; 

protected : 

DSContext *cx; 

diff --git a/ js/src/ j it/Baselinelnspector . h b/ js/src/ jit/Baselinelnspector . h 
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index bb40c3a . . 72035bl 100644 

— a/js/src/jit/Baselinelnspector.h 
+++ b/js/src/jit/Baselinelnspector.h 

(5>@ -67,7 +67,7 @(5) class Baselinelnspector 
} 

private : 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

bool isValidPC ( j sbytecode *pc) { 

return (pc >= script - >code ) && (pc < script - >code + script - >length ) ; 

} 

diff --git a/ js/src/ jit/BaselineDIT . cpp b/ js/src/ jit/BaselineDIT . cpp 
index b3832f 0 . . f 6b0bdl 100644 

— a/js/src/ jit/BaselineDIT . cpp 
+++ b/]s/src/jit/Baseline3IT.cpp 

(8(5) -35,7 +35,7 @(5) BaselineScript : : BaselineScript ( uint32_t prologueOf f set , uint32_t 
spsPushToggleOf 
: method_(NULL)j 

fallbackStubSpace_(), 
prologueOf f set_( prologueOf f set ) , 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
spsOn_(f alse ) , 
#endif 

spsPushToggleOf fset_( spsPushToggleOf f set ) , 
@@ -737,7 +757 ,7 @@ BaselineSc ript : : toggleSPS ( bool enable) 
Assembler: :ToggleToCmp(pushToggleLocation); 

else 

Assembler: :ToggleToDmp(pushToggleLocation); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
spsOn_ = enable; 
#endif 
} 

diff --git a/ js/src/ jit/BaselineJIT . h b/js/src/ jit/Baseline]IT . h 
index c3f 9981 . . 5db487f 100644 

— a/js/src/ jit/Baseline] IT . h 
+++ b/js/src/ jit/Baseline] IT . h 

(3(5) -110,8 +110,8 @@ struct BaselineScript 
uint32_t prologueOf fset_; 

// The offsets for the toggledJump instructions for SPS update ICs. 
-#ifdef DEBUG 

mozilla : : DebugOnly<bool> spsOn_; 
+#ifndef TOR_NASSERT 

+ mozilla :: DebugOnlyTor<bool> spsOn_; 
#endif 

uint32_t spsPushToggleOf fset_; 
diff --git a/ js/src/ j it/CodeGenerator . cpp b/ j s/src/J it/CodeGenerator . cpp 
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index 534ae07 . . 5d263d2 100644 
— a/js/src/jit/CodeGenerator.cpp 
+++ b/js/src/jit/CodeGenerator.cpp 
@@ -4,9 +4,9 @@ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/Assertions.h" 

+# include " mozilla/ Assert ions To r.h" 

#include "mozilla/ At tributes. h" 

-#include "mozilla/DebugOnly.h" 

+#include " mozilla /DebugOnly Tor . h" 

#include "mozilla/Util . h " 

#include " Perf Spewer . h" 
§§ -32,7 +32,7 @@ 
using namespace js; 
using namespace js::jitj 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor ; 
using mozilla :: Maybe; 

namespace js { 

@@ -317,19 +317,19 §§ class OutOf LineTestObject : public OutOf LineCodeBase < 
CodeGenerator > 
Label *ifTruthy_; 
Label *ifFalsy_; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

bool initialized ( ) { return ifTruthy_ != NULL; } 
#endif 

public : 

OutOf LineTestObject ( ) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

: ifTruthy_(NULL), if Falsy_( NULL ) 

#endif 
{ } 

bool accept(CodeGenerator *codegen) MOZ_FINAL MOZ_OVERRIDE { 
MOZ_ASSERT(initialized()); 
+ TBB_MOZ_ASSERT(initialized()); 

codegen - >emitOOLTestOb ject (ob j reg_, ifTruthy_, ifFalsy_, scratch_); 
return true; 

} 

@@ -338,8 +338,8 §§ class OutOf LineTestObject : public OutOf LineCodeBase< 
CodeGenerator > 

// jump to if the object is truthy or falsy, and a scratch register for 
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// use in the out-of-line path. 

void setlnputAndTargets ( Register objreg, Label *ifTruthy, Label *ifFalsy, 

Register scratch) { 

MOZ_ASSERT( ! initialized ( ) ); 

MOZ_ASSERT(ifTruthy); 
+ TBB_MOZ_ASSERT( ! initialized ()) ; 

+ TBB_MOZ_ASSERT (ifTruthy); 

objreg_ = objreg; 

scratch_ = scratch; 

ifTruthy_ = ifTruthy; 
@(5) -438,7 +438,7 @@ CodeGenerator :: testValueTruthy ( const ValueOperand &value, 
bool 

CodeGenerator: : visitTestOAndBranch ( LTestOAndBranch *lir) 
{ 

MOZ_ASSERT(lir->mir( ) - >operandMightEmulateUndef ined ( ) , 
+ TBB_MOZ_ASSERT( lir- >mir ( ) -> opera ndMight Emu lateUndef ined ( ) , 

"Objects which can't emulate undefined should have been constant- 
folded"); 

OutOf LineTestObject *ool = new OutOf LineTestOb ject ( ) ; 
(5)@ -516,7 +516,7 @@ CodeGenerator :: visitTypeObjectDispatch ( LTypeOb jectDispatch *lir) 
DSFunction *func = mir - >getCase ( i) ; 
LBlock *target = mir- >getCaseBlock( i ) - >lir ( ) ; 

DebugOnly<bool> found = false; 
+ DebugOnlyTor<bool> found = false; 

for (size_t j = 0; j < propTable - >numEntries ( ) ; j++) { 
if ( propTable - >getFunction (j ) != func) 
continue ; 

@@ -821,12 +821,12 @@ bool 
CodeGenerator: : visitReturn ( LReturn *lir) 
{ 

#if defined(3S_NUNBOX32) 

DebugOnly< LAllocation *> type = lir - >getOperand (TYPE_INDEX) ; 
DebugOnly < LAllocation *> payload = lir - >getOperand ( PAYLOAD_INDEX) ; 
+ DebugOnlyTor< LAllocation *> type = lir ->get Operand (TYPE_INDEX) ; 
+ DebugOnlyTor< LAllocation *> payload = lir ->get Operand ( PAYLOAD_INDEX) ; 
DS_ASSERT(ToRegister(type) == JSReturnReg_Type ) ; 
DS_ASSERT(ToRegister(payload) == 3SReturnReg_Data ) ; 
#elif defined (DS_PUNB0X64) 

DebugOnly < LAllocation *> result = lir - >getOperand (0) ; 
+ DebugOnlyTor< LAllocation *> result = lir - >getOperand (0) ; 
DS_ASSERT(ToRegister(result) == DSReturnReg) ; 
#endif 

// Don't emit a jump to the return label if this is the last block. 
@@ -1317,7 +1317,7 @@ CodeGenerator: : visitCallNative ( LCallNative *call) 
// Misc. temporary registers. 

const Register tempReg = ToRegister ( call - >getTempReg( ) ) ; 

DebugOnly < uint32_t > initialStack = masm . f ramePushed ( ) ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 
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masm . checkStackAlignment ( ) ; 

@@ -1400,7 +1400,7 @@ CodeGenerator : : visitCallDOMNative ( LCallDOMNative *call) 
const Register argPrivate = ToRegister ( call - >getArgPrivate ( ) ) ; 
const Register argArgs = ToRegister ( call - >getArgArgs ()) ; 

DebugOnly < uint32_t > initialStack = masm . f ramePushed ( ) ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 

masm . checkStackAlignment ( ) ; 

§§ -2389,7 +2389,7 @@ CodeGenerator :: maybeCreateScriptCounts ( ) 

MResumePoint *resume = block - >entryResumePoint () ; 

while ( resume - >caller () ) 

resume = resume - >caller () ; 

DebugOnly<uint32_t> offset = resume->pc() - script - >code; 
+ DebugOnlyTor < uint32_t > offset = resume->pc() - script - >code; 

JS_ASSERT(offset < script - >length ) ; 

} 

(S)@ -2694,7 +2694,7 @(B CodeGenerator :: visitNewArray ( LNewArray *lir) 

DS_ASSERT( gen - >inf o ( ) . executionMode ( ) == SequentialExecution ) ; 

Register objReg = ToRegister ( lir - >output ()) ; 

DSObject *templateObject = lir - >mir ( ) - >templateOb ject ( ) ; 

DebugOnly < uint32_t > count = lir - >mir ( ) - >count ( ) ; 
+ Debug0nlyTor<uint32_t > count = lir - >mir ( ) - >count ( ) ; 

DS_ASSERT(count < DSObject: :NELEMENTS_LIMIT); 

§§ -3695,7 +3695,7 @@ CodeGenerator :: visitlsNullOrLikeUndef ined ( 
LIsNullOrLikeUndef ined *lir) 
Register output = ToRegister ( lir - >output ()) ; 

if (op == 3S0P_EQ || op == DSOP_NE) { 

MOZ_ASSERT(lir->mir()->lhs()->type() != MIRType_Object || 
+ TBB_MOZ_ASSERT(lir->mir()->lhs()->type() != MIRType_Ob ject || 

lir->mir()->operandMightEmulateUndefined(), 

"Operands which can't emulate undefined should have been folded") 



-3783,7 +3783,7 @@ CodeGenerator :: visitlsNullOrLikeUndef inedAndBranch ( 
LIsNullOrLikeUndef ined An dB ran 
op = JSOP_EQ; 

} 

MOZ_ASSERT(lir->mir()->lhs()->type() != MIRType_Object || 
TBB_MOZ_ASSERT(lir->mir()->lhs()->type() != MIRType_Ob ject || 
lir->mir()->operandMightEmulateUndefined(), 

"Operands which can't emulate undefined should have been folded") 
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@(5) -3831,14 +3831,14 @@ static const VMFunction ConcatStringsInf o = Functionlnf o< 
ConcatStringsFn>(Concat 
bool 

CodeGenerator : : visitEmulatesUndef ined ( LEmulatesUndef ined *lir) 
{ 

MOZ_ASSERT ( lir - >mir ( ) - >compareType ( ) == MCompare : : Compare_Undef ined | 
+ TBB_MOZ_ASSERT( lir- >mir ( ) - >compareType ( ) == MCompare :: Compare_Undef ined | 
lir - >mir ( ) - >compareType ( ) == MCompare :: Compare_Null) ; 
MOZ_ASSERT(lir->mir()->lhs()->type() == MIRType_Ob]'ect ) ; 
MOZ_ASSERT (lir->mir()->operandMightEmulateUndefined(), 
+ TBB_MOZ_ASSERT(lir->mir()->lhs()->type() == MIRType_Object ) ; 
+ TBB_MOZ_ASSERT( lir - >mir ( ) -> opera ndMight Emu lateUndef ined ( ) , 

"If the object couldn't emulate undefined, this should have been 
folded."); 

JSOp op = lir - >mir ( ) - > j sop ( ) ; 

MOZ_ASSERT(op == JSOP_EQ | | op == JSOP_NE, "Strict equality should have been 
folded"); 

+ TBB_MOZ_ASSERT(op == 3S0P_EQ || op == DSOP_NE, "Strict equality should have been 
folded"); 

OutOf LineTestObjectWithLabels *ool = new OutOf LineTestOb jectWith Labels () ; 
if (!addOutOfLineCode(ool)) 
(5)(5) -3866,13 +3866,13 @@ CodeGenerator :: visitEmulatesUndef ined ( LEmulatesUndef ined *lir 
) 

bool 

CodeGenerator ::visitEmulatesUndefinedAndBranch(LEmulatesUndefinedAndBranch *lir) 
{ 

MOZ_ASSERT ( lir - >mir ( ) - >compareType ( ) == MCompare :: Compare_Undef ined | 
+ TBB_MOZ_ASSERT( lir - >mir ( ) - >compareType ( ) == MCompare :: Compare_Undef ined | 
lir - >mir ( ) - >compareType ( ) == MCompare :: Compare_Null) ; 
MOZ_ASSERT(lir->mir( ) - >opera ndMight Emu lateUndef ined ( ) , 
+ TBB_MOZ_ASSERT( lir- >mir ( ) -> opera ndMight Emu lateUndef ined ( ) , 

"Operands which can't emulate undefined should have been folded"); 

JSOp op = lir - >mir ( ) - > j sop ( ) ; 

MOZ_ASSERT(op == 3S0P_EQ | | op == 3S0P_NE, "Strict equality should have been 
folded"); 

+ TBB_MOZ_ASSERT(op == JSOP_EQ || op == DSOP_NE, "Strict equality should have been 
folded"); 

OutOf LineTestObject *ool = new OutOf LineTestOb ject () ; 
if (!addOutOfLineCode(ool)) 
(5)(5) -4136,7 +4136,7 @@ CodeGenerator :: visitSetlnitializedLength ( LSetlnitializedLength 
*lir) 
bool 

CodeGenerator: : visitNotO( LNotO *lir) 
{ 

MOZ_ASSERT(lir->mir( ) - >opera ndMight Emu lateUndef ined ( ) , 
+ TBB_MOZ_ASSERT( lir- >mir ( ) -> opera ndMight Emu lateUndef ined ( ) , 
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"This should be constant -folded if the object can't emulate undefined 

■ "); 

OutOf LineTestObjectWithLabels *ool = new OutOf LineTestOb jectWithLabels ( ) ; 
§§ -6585,7 +6585,7 @@ CodeGenerator : : visitGetDOMProperty ( LGetDOMProperty *ins) 
const Register PrivateReg = ToRegister ( ins - >getPrivReg ( ) ) ; 
const Register ValueReg = ToRegister ( ins - >getValueReg ()) ; 

DebugOnly < uint32_t > initialStack = masm . f ramePushed () ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 

masm . checkStackAlignment ( ) ; 

@@ -6654,7 +6654,7 @§ CodeGenerator :: visitSetDOMProperty ( LSetDOMProperty *ins) 
const Register PrivateReg = ToRegister ( ins - >getPrivReg ()) ; 
const Register ValueReg = ToRegister ( ins - >getValueReg ()) ; 

DebugOnly < uint32_t > initialStack = masm . f ramePushed () ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 

masm . checkStackAlignment ( ) ; 

diff --git a/ js/src/ j it/InlineList . h b/ js/src/ jit/InlineList . h 
index 441f df e . . 37d2058 100644 
— a/js/src/ jit/InlineList . h 
+++ b/js/src/ jit/InlineList . h 
@@ -7,7 +7,7 @@ 

#ifndef jit_InlineList_h 

#define jit_InlineList_h 

-#include "mozilla/DebugOnly.h" 
+# include " mo zilla/ DebugOnly To r.h" 

#include "jsutil.h" 

(5)@ -40,7 +40,7 (S)(S> class InlineForwardList : protected InlineForwardListNode<T> 
typedef InlineForwardListNode<T> Node; 

Node *tail_; 

mozilla :: DebugOnly <int> modif yCount_; 
+ mozilla :: DebugOnlyTor<int> modif yCount_; 

InlineForwardList<T> *thisFromConstructor ( ) { 
return this; 
@@ -140,7 +140,7 §@ private: 

InlineForwardListIterator<T>( const InlineForwardList<T> *owner) 
: prev( const_cast <Node * >( static_cast <const Node *>(owner))), 
iter(owner ? owner->next : NULL) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

, owner_(owner) , 
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modifyCount_(owner ? owner - >modifyCount_ . value : 0) 

#endif 

@@ -179,10 +179,10 @@ private: 
Node *prev; 
Node *iter; 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

const InlineForwardList <T> *owner_; 
#endif 

mozilla : : DebugOnly <int> modif yCount_; 
+ mozilla :: DebugOnlyTor<int> modif yCount_; 

}; 

template <typename T> class InlineList; 
diff --git a/ js/src/ jit/IonBuilder . cpp b/js/src/ jit/IonBuilder . cpp 
index a0c70f 5 . . 6c4d8e3 100644 
— a/ js/src/ jit/IonBuilder . cpp 
+++ b/js/src/ jit/IonBuilder . cpp 
@@ -6,7 +6,7 @@ 

#include "jit/IonBuilder . h" 

-#include "mozilla/DebugOnly.h" 
+# include " mozilla/ DebugOnly To r.h" 

#include " builtin/Eval . h " 
#include "frontend/SourceNotes.h" 
§@ -31,7 +31,7 @@ 
using namespace js; 
using namespace js::jit; 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

IonBuilder : : IonBuilder ( JSContext *cx, TempAllocator *temp, MIRGraph *graph, 

Baselinelnspector *inspector, Compilelnfo *info, 
BaselineFrame *baselineFrame , 
@@ -194,7 +194,7 @@ IonBuilder :: getPolyCallTargets (types :: StackTypeSet *calleeTypes , 
{ 

return false; 

} 

DebugOnly<bool> appendOk = targets . append ( obj ) ; 
+ DebugOnlyTor<bool> appendOk = targets . append (obj ) ; 

DS_ASSERT(appendOk); 
} else { 

/* Temporarily disable heavyweight - function inlining. */ 
(3(5) -209,7 +209,7 @@ IonBuilder :: getPolyCallTargets (types :: StackTypeSet *calleeTypes , 
} 

if ( ! typeOb j -> interpreted Function ->getOrCreateScript(cx)) 
return false; 
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DebugOnly<bool> appendOk = targets . append (typeObj - >interpretedFunction ) ; 
+ DebugOnlyTor<bool> appendOk = targets . append (typeObj - > 

interpret edFunction); 

JS_ASSERT(appendOk); 

*gotl_ambda = true; 
§§ -2159,7 +2159,7 @@ IonBuilder : : processBreak ( 1 SOp op, jssrcnote *sn) 

// Find the break target. 

jsbytecode *target = pc + GetHumpOf f set ( pc ) ; 
DebugOnly<bool> found = false; 
+ DebugOnlyTor<bool > found = false; 

if (SN_TYPE(sn) == SRC_BREAK2LABEL ) { 

for (size_t i = labels_ . length ( ) - 1; i < labels_ . length () ; i--) { 
(S)@ -2343,7 +2343,7 @@ IonBuilder :: maybe Loop ( JSOp op, jssrcnote *sn) 
void 

IonBuilder: : assertValidLoopHeadOp( jsbytecode *pc) 
{ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

DS_ASSERT( JSOp(*pc) == DSOP_LOOPHEAD) ; 

// Make sure this is the next opcode after the loop header, 
@@ -3772,7 +3772,7 @@ IonBuilder :: makePolylnlineDispatch ( DSContext *cx, Calllnfo & 
calllnf o , 

MResumePoint :: New( current , pc, callerResumePoint_, MResumePoint : : ResumeAt ) ; 
if ( ! preCallResumePoint ) 
return NULL; 

DebugOnly < size_t > preCallFuncDef nldx = preCallResumePoint - >numOperands ( ) - ((( 
size_t) calllnf o . argc () ) + 2); 
+ DebugOnlyTor < size_t > preCallFuncDef nldx = preCallResumePoint - >numOperands ( ) - 
(((size_t) calllnfo. argc()) + 2); 

DS_ASSERT( preCallResumePoint ->getOperand(preCallFuncDefnIdx) == calllnfo. fun()); 

MDefinition *targetOb ject = getPropCache - >ob ject ( ) ; 
@@ -3816,7 +3816,7 @(5) IonBuilder :: makePolylnlineDispatch ( DSContext *cx, Calllnfo & 
calllnfo , 

// The f allbackBlock inherits the state of the stack right before the getprop, 
which 

// means we have to pop off the target of the getprop before performing it. 
DebugOnly <MDefinition *> checkTargetObject = f allbackBlock - >pop () ; 
+ DebugOnlyTor <MDefinition *> checkTargetObject = f allbackBlock - >pop () ; 
DS_ASSERT( checkTargetObject == targetOb ject ) ; 

// Remove the instructions leading to the function definition from the current 
@@ -3994,7 +3994,7 @@ IonBuilder :: inlineTypeOb j ect Fallback ( Calllnf o Scalllnfo, 
MBasicBlock *dispatchBl 
if (! preCallResumePoint ) 
return false; 
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DebugOnly < size_t > preCallFuncIndex = preCallResumePoint - >numOperands ( ) - 
callInfo.numFormals(); 
+ DebugOnlyTor<size_t> preCallFuncIndex = preCallResumePoint - >numOperands ( ) - 
callInfo.numFormals(); 

DS_ASSERT( preCallResumePoint ->getOperand( preCallFuncIndex) == fallbackInfo.fun() 

); 

II In the dispatch block, replace the function's slot entry with Undefined. 
@@ -4022,7 +4022,7 @@ IonBuilder :: inlineTypeOb j ect Fallback ( Calllnfo Scalllnfo, 
MBasicBlock *dispatchBl 

// Since the getPropBlock inherited the stack from right before the 

MGetPropertyCache , 
// the target of the MGetPropertyCache is still on the stack. 
DebugOnly <MDefinition *> checkObject = getPropBlock - >pop () ; 
+ DebugOnlyTor<MDef inition *> checkObject = getPropBlock - >pop () ; 
DS_ASSERT(checkObject == cache - >object ()) ; 

// Move the MGetPropertyCache and friends into the getPropBlock. 
(8(5) -7387,7 +7387,7 @@ IonBuilder :: TestCommonPropFunc ( JSContext *cx, types:: 
StackTypeSet *types, Handle 
// above. 

DS_ASSERT(propSet); 

// Asking, freeze by asking. 

DebugOnly < bool > isOwn = propSet ->isOwnProperty (cx, curType, false); 
+ DebugOnlyTor<bool> isOwn = propSet - >isOwnProperty ( cx, curType, false 

); 

DS_ASSERT(!isOwn); 

// Don't mark the proto. It will be held down by the shape 

// guard. This allows us tp use properties found on prototypes 

diff --git a/ js/src/ j it/IonCaches . cpp b/ js/src/ jit/IonCaches . cpp 

index 933d42d . . 06f 3ebb 100644 

— a/js/src/ jit/IonCaches . cpp 

+++ b/js/src/ jit/IonCaches . cpp 

§@ -4,7 +4,7 @@ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file. You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include " Perf Spewer . h" 
#include "CodeGenerator . h" 
@@ -23,7 +23,7 (3(5) 
using namespace js; 
using namespace js::jitj 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 
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void 

CodeLocationJ ump : : repoint ( IonCode *code, MacroAssembler *masm) 
@(5) -893,7 +893,7 @@ GenerateCallGetter ( JSContext *cx, IonScript *ion, MacroAssembler 
&masm , 

DS_ASSERT_IF ( ! callNative, IsCacheableGetPropCallPropertyOp(obj , holder, shape)); 
// TODO: ensure stack is aligned? 

DebugOnly < uint32_t > initialStack = masm . f ramePushed () ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed ( ) ; 

Label success, exception; 

§§ -1061,7 +1061,7 @@ GetPropertylC : : attachDOMProxyShadowed ( JSContext *cx, IonScript 
*ion, DSObject *o 
// saveLive() 

masm.PushRegsInMask(liveRegs_); 

DebugOnly < uint32_t > initialStack = masm . f ramePushed () ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 

// Remaining registers should be free, but we need to use |object| still 
// so leave it alone. 

(5>@ -1848,7 +1848,7 @@ SetPropertylC : : attachSetterCall ( DSContext *cx, IonScript *ion, 
Register argVpReg = regSet . takeGeneral ( ) ; 

// Ensure stack is aligned. 

DebugOnly < uint32_t > initialStack = masm . f ramePushed () ; 
+ DebugOnlyTor<uint32_t > initialStack = masm . f ramePushed () ; 

Label success, exception; 

@@ -2282,7 +2282,7 §§ Get Element IC :: attachTypedAr ray E lement ( DSContext *cx, IonScript 
*ion, JSObject *o 

// The output register is not yet specialized as a float register, the only 
// way to accept float typed arrays for now is to return a Value type. 
DebugOnly<bool> floatOutput = arrayType == TypedArray : : TYPE_FLOAT32 || 
+ DebugOnlyTor<bool > floatOutput = arrayType == TypedArray :: TYPE_FLOAT32 || 

arrayType == TypedArray :: TYPE_FL0AT64; 
DS_ASSERT_IF( ! output () .hasValue(), ! floatOutput ) ; 

diff --git a/ js/src/ jit/IonFrames . h b/ js/src/ jit/IonFrames . h 
index f cd33e6 . . 33df d94 100644 
— a/js/src/ jit/IonFrames . h 
+++ b/js/src/ jit/IonFrames . h 
@@ -9,7 +9,7 @@ 

#ifdef JS_ION 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/ DebugOnly Tor . h" 
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#include "jsfun.h" 
#include "jstypes.h" 
@@ -123,7 +123,7 §@ class Saf epointlndex 
uint32_t saf epointOf f set_; 

}; 

mozilla : : DebugOnly<bool> resolved; 
+ mozilla :: DebugOnlyTor<bool> resolved; 

public : 

Saf epointIndex( uint32_t displacement, LSafepoint *safepoint) 
diff --git a/ js/src/ jit/ LinearScan . cpp b/ js/src/ jit/LinearScan . cpp 
index 1961da5 . . bf 9be81 100644 

— a/ js/src/ jit/LinearScan . cpp 
+++ b/ js/src/ jit/LinearScan . cpp 
@@ -6,7 +6,7 §§ 

#include <limits.h> 

-#include " mozilla /DebugOnly.h" 
+#include "mozilla/ DebugOnly Tor . h" 

#include "BitSet.h" 
#include " LinearScan . h" 
@@ -17,7 +17,7 @@ 
using namespace js; 
using namespace js::jit; 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

/* 

* Merge virtual register intervals into the UnhandledQueue , taking advantage 
(6)@ -476,7 +476,7 @@ LinearScanAllocator : : populateSaf epoints ( ) 

// is not used with gcthings or nunboxes, or we would have to add the 

input reg 
// to this safepoint. 

if (ins == reg->ins() && ! reg - >isTemp ( ) ) { 

DebugOnly <LDefinition*> def = reg->def(); 
+ DebugOnlyTor< LDef inition*> def = reg->def(); 

JS_ASSERT_IF(def->policy() == LDef inition : : MUST_REUSE_INPUT , 

def->type() == LDef inition :: GENERAL || def->type() == 
LDefinition: : DOUBLE ) ; 

continue ; 

diff --git a/ js/src/ jit/ LiveRangeAllocator . cpp b/ js/src/ jit/ LiveRangeAllocator . cpp 
index e6dleec . . 5f 46a72 100644 

— a/ js/src/ jit /LiveRangeAllocator .cpp 
+++ b/ js/src/ jit /LiveRangeAllocator .cpp 
@@ -4,7 +4,7 @§ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 
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* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include " LiveRangeAllocator . h" 

@@ -14,7 +14,7 (3(5) 
using namespace js; 
using namespace js::jitj 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

int 

Requirement :: priority ( ) const 
@@ -355,7 +355,7 (3(3 VirtualRegister : : getFirstlnterval ( ) 
template bool LiveRangeAllocator < LinearScanVirtualRegister > : : buildLivenessInf o ( ) ; 
template bool LiveRangeAllocator <BacktrackingVirtualRegister >: :buildLivenessInfo(); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
static inline bool 

NextlnstructionHasFixedUses ( LBlock *block, LInstruction *ins) 
{ 

§§ -642,8 +642,8 (3(3 Li veRangeAllocator < VREG > : : build Li venesslnf o ( ) 
} 

} 

DebugOnly<bool> hasUseRegister = false; 

DebugOnly<bool> hasUseRegisterAtStart = false; 
+ DebugOnlyTor<bool> hasUseRegister = false; 

+ DebugOnlyTor<bool> hasUseRegisterAtStart = false; 

for ( LInstruction :: Inputlterator alloc (** ins ) ; alloc . more () ; alloc. next 
0) { 

if (alloc->isUse()) { 
diff --git a/ js/src/j it/ LiveRangeAllocator . h b/js/src/ jit/LiveRangeAllocator . h 
index 4c349bl . . f 119eea 100644 
— a/js/src/ jit/LiveRangeAllocator . h 
+++ b/js/src/ jit/LiveRangeAllocator . h 
@@ -7,7 +7,7 (3(3 

#if ndef jit_LiveRangeAllocator_h 

#def ine jit_LiveRangeAllocator_h 

-#include "mozilla/DebugOnly.h" 
+# include "mozilla/ DebugOnly To r.h" 

#include " RegisterAllocator . h " 
#include " St a ckSlot Allocator . h" 
(3(3 -122,7 +122,7 (3(3 UseCompatibleWith ( const LUse *use, LAllocation alloc) 
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return false; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

static inline bool 

Def initionCompatibleWith ( LInstruction *ins, const LDefinition *def, LAllocation 
alloc) 

@@ -261,7 +261,7 @@ class Livelnterval 

const Range *getRange ( size_t i) const { 
return Sranges_[i]; 

} 

void set LastProcessedRange ( size_t range, mozilla : : DebugOnly <CodePosition > pos) { 
+ void set LastProcessedRange ( size_t range, mozilla :: DebugOnlyTor<CodePosition > pos 
) { 

// If the range starts after pos, we may not be able to use 

// it in the next lastProcessedRangelfValid call. 

DS_ASSERT( ranges_[ range ]. from <= pos); 
diff --git a/ js/src/ jit/ Lowering . cpp b/js/src/ jit/ Lowering . cpp 
index f dldc57 . . 9ee6072 100644 
— a/ js/src/ jit/Lowering . cpp 
+++ b/ js/src/ jit/Lowering . cpp 
@@ -14,7 +14,7 @@ 
#include "jsbool.h" 
#include "jsnum.h" 

#include " shared/ Lowering -shared-inl.h" 
-#include "mozilla/DebugOnly.h" 
+#include "mozilla/ DebugOnly Tor . h" 

using namespace js; 
using namespace jit; 
@(5) -263,7 +263,7 @@ LIRGenerator : : visitPrepareCall (MPrepareCall *ins) 
{ 

allocateArguments(ins->argc()); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

if (!prepareCallStack_.append(ins)) 
return false; 

#endif 

@@ -380,7 +380,7 @@ LIRGenerator: :visitCall(MCall *call) 
GetTempRegForlntArg (0, 0, &cxReg); 
GetTempRegForIntArg(l, 0, SobjReg); 
GetTempRegForIntArg(2, 0, &privReg); 

mozilla :: DebugOnly < bool > ok = GetTempRegForIntArg(3, 0, SargsReg); 
+ mozilla :: DebugOnlyTor<bool> ok = GetTempRegForIntArg(3, 0, SargsReg); 

MOZ_ASSERT(ok, "How can we not have four temp registers?"); 
LCallDOMNative *lir = new LCallDOMNative ( argslot , tempFixed ( cxReg ) , 

tempFixed ( ob j Reg) , tempFixed( 
privReg), 
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@@ -398,7 +398,7 §@ LIRGenerator : : vis itCall ( MCall *call) 

// Even though this is just a temp reg, use the same API to avoid 
// register collisions. 

mozilla : : DebugOnly<bool> ok = GetTempRegForIntArg(3, 0, &tmpReg); 
+ mozilla :: DebugOnlyTor<bool > ok = GetTempRegForIntArg(3, 0, StmpReg); 

MOZ_ASSERT(ok, "How can we not have four temp registers?"); 

LCallNative *lir = new LCallNative ( argslot , tempFixed ( cxReg) , 
@@ -1395,7 +1395,7 @@ bool 
LIRGenerator: : visitToDouble(MToDouble *convert) 
{ 

MDefinition *opd = convert - >input () ; 

mozilla :: DebugOnly <MToDouble :: ConversionKind > conversion = convert - >conversion ( ) 

+ mozilla :: DebugOnlyTor <MToDouble :: ConversionKind > conversion = convert-) 
conversion ( ) ; 

switch (opd - >type ( ) ) { 
case MIRType_Value : 

@@ -2767,7 +2767,7 §§ LIRGenerator :: visitSetDOMProperty ( MSetDOMProperty *ins) 
// don't clobber registers we're already using. 
Register tempRegl, tempReg2; 
GetTempRegForIntArg(4, 0, &tempRegl); 

mozilla :: DebugOnly<bool> ok = GetTempRegForIntArg(5, 0, StempReg2); 
+ mozilla :: DebugOnlyTor<bool> ok = GetTempRegForIntArg(5, 0, &tempReg2); 
MOZ_ASSERT(ok, "How can we not have six temp registers?"); 
if ( ! useBoxFixed ( lir , LSetDOMProperty :: Value , val, tempRegl, tempReg2)) 
return false; 

@@ -2782,7 +2782,7 @§ LIRGenerator :: visitGetDOMProperty ( MGetDOMProperty *ins) 
GetTempRegForlntArg (0 , 0, ScxReg); 
GetTempRegForIntArg(l, 0, &objReg); 
GetTempRegForIntArg(2, 0, &privReg); 

mozilla :: DebugOnly<bool> ok = GetTempRegForIntArg(3, 0, SvalueReg); 
+ mozilla :: DebugOnlyTor<bool> ok = GetTempRegForIntArg(3, 0, &valueReg); 

MOZ_ASSERT(ok, "How can we not have four temp registers?"); 

LGetDOMProperty *lir = new LGetDOMProperty ( tempFixed ( cxReg ) , 

useFixed(ins->object(), ob jReg) , 
diff --git a/ js/src/ jit/ Lowering . h b/js/src/ jit/Lowering . h 
index 3d67a2d . . edb9d9a 100644 
— a/ js/src/ jit/Lowering . h 
+++ b/js/src/ jit/Lowering . h 

(5)@ -37,7 +37,7 @(5) class LIRGenerator : public LIRGeneratorSpecif ic 
// The maximum depth, for f ramesizeclass determination. 
uint32_t maxargslots_; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

// In debug builds, check MPrepareCall and MCall are properly 

// nested. The argslots_ mechanism relies on this. 

Vector<MPrepareCall *, 4, SystemAllocPolicy > prepareCallStack_; 
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diff --git a/js/src/jit/MIR.cpp b/js/src/ jit/MIR . cpp 
index eea62f f . . 0c8dald 100644 

— a/js/src/ jit/MIR . cpp 
+++ b/js/src/ jit/MIR . cpp 

(8(5) -644,7 +644,7 @@ MPhi : : reserveLength ( size_t length) 

// capacity. This permits use of addlnputQ instead of addlnputSlow ( ) , the 

// latter of which may call reallocQ. 

DS_ASSERT(numOperands() == 0); 
-#if DEBUG 
+#if !TOR_NASSERT 

capacity_ = length; 
#endif 

return inputs_ . reserve ( length ) ; 
(5)(5) -691,7 +691,7 @@ j it : : MergeTypes (MIRType *ptype, types :: StackTypeSet **ptypeSet, 
void 

MPhi: :specializeType() 
{ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

DS_ASSERT( ! specialized_) ; 

specialized_ = true; 
#endif 

diff --git a/js/src/jit/MIR.h b/js/src/ jit/MIR . h 
index e9bc029 . . 6d6a68a 100644 
--- a/js/src/jit/MIR.h 
+++ b/js/src/jit/MIR.h 

(5>@ -483,7 +483,7 @@ class MDefinition : public MNode 

void setVirtualRegister ( uint32_t vreg) { 
virtualRegister_ = vreg; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

set LoweredUn checked ( ) ; 

#endif 
} 

@(5) -3601,7 +3601,7 @@ class MPhi : public MDefinition, public InlineForwardListNode< 
MPhi> 

bool triedToSpecialize_; 
bool isIterator_; 

-#if DEBUG 

+#ifndef TOR_NASSERT 

bool specialized_; 
uint32_t capacity_; 
#endif 

@@ -3611,7 +3611,7 @@ class MPhi : public MDefinition, public InlineForwardListNode< 
MPhi> 

hasBackedgeType_( false), 
triedToSpecialize_ (false), 
isIterator_( false) 
-#if DEBUG 
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+#ifndef TOR_NASSERT 

, specialized_(f alse) 
, capacity_(0) 

#endif 

diff --git a/ js/src/ jit/arm/Assembler -arm . cpp b/ js/src/ jit/arm/Assembler -arm . cpp 
index 57a3aa2 . . e47c3d3 100644 

— a/ js/src/ jit /arm /Assembler -arm. cpp 
+++ b/ js/src /jit /arm /Assembler -arm. cpp 
@@ -4,7 +4,7 @@ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "Assembler -arm . h " 
#include "MacroAssembler -arm . h " 
@@ -2312,7 +2312,7 @@ Assembler :: retarget ( Label *label, Label *target) 
} else { 

// The target is unbound and unused. We can just take the head of 
// the list hanging off of label, and dump that into target. 
DebugOnly <uint32_t > prev = target - >use ( label - >off set ()) ; 
+ DebugOnlyTor < uint32_t > prev = target - >use( label - >off set ()) ; 

DS_ASSERT((int32_t)prev == Label :: INVALID_OFFSET) ; 

} 

} 

(5)(5) -2651,7 +2651,7 @@ Assembler :: ToggleToJmp ( CodeLocat ion Label inst_) 
{ 

uint32_t *ptr = (uint32_t * ) inst_ . raw( ) ; 

DebugOnly<Instruction *> inst = (Instruction *) inst_. raw( ) ; 
+ DebugOnlyTor<Instruction *> inst = (Instruction * ) inst_ . raw( ) ; 
DS_ASSERT(inst->is<InstCMP>() ); 

// Zero bits 20-27, then set 24-27 to be correct for a branch. 
(8(5) -2665,7 +2665,7 @@ Assembler :: ToggleToCmp ( CodeLocation Label inst_) 
{ 

uint32_t *ptr = (uint32_t * ) inst_. raw ( ) ; 

DebugOnly<Instruction *> inst = (Instruction *) inst_ . raw( ) ; 
+ DebugOnlyTor<Instruction *> inst = (Instruction * ) inst_ . raw( ) ; 
DS_ASSERT(inst->is<InstBImm>() ); 

// Ensure that this masking operation doesn't affect the offset of the 
diff --git a/ js/src/ j it/arm/MacroAssembler -arm . cpp b/ js/src/ jit/arm/MacroAssembler - 
arm . cpp 

index b7a3167 . . a030f 54 100644 

— a/ js/src/ jit /arm /MacroAssembler -arm. cpp 
+++ b/ js/src /jit /arm /MacroAssembler -arm. cpp 
§§ -4,7 +4,7 @§ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 
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* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/MathAlgorithms.h" 

#include " jit/arm/MacroAssembler - arm . h" 
§§ -930,7 +930,7 @@ MacroAssemblerARM :: ma_str ( Register rt, const Operand Saddr, Index 
mode, Conditio 

ma_dtr ( IsStore , rt, addr, mode, cc); 

} 

void 

-MacroAssemblerARM :: ma_strd ( Register rt, DebugOnly<Register> rt2, EDtrAddr addr, 

Index mode, Condition cc) 
+MacroAssemblerARM :: ma_strd ( Register rt, DebugOnlyTor<Register> rt2, EDtrAddr addr. 

Index mode, Condition cc) 

{ 

DS_ASSERT((rt.code() & 1) == 0); 
DS_ASSERT(rt2. value. code() == rt.code() + 1); 
(3(5) -971,7 +971,7 @@ Mac roAs semblerARM :: ma_ldrsb ( EDtrAddr addr, Register rt, Index 
mode, Condition cc 
as_extdtr ( Is Load , 8, true, mode, rt, addr, cc); 

} 

void 

-MacroAssemblerARM :: ma_ldrd ( EDtrAddr addr, Register rt, DebugOnly<Register> rt2, 
+MacroAssemblerARM :: ma_ldrd ( EDtrAddr addr, Register rt, DebugOnlyTor<Register> rt2. 

Index mode, Condition cc) 

{ 

DS_ASSERT((rt.code() & 1) == 0); 
(5)@ -1466,13 +1466,13 @@ Mac roAssemblerARM : : ma_vst r ( VFPRegister src, Register base, 
Register index, int32 
bool 

MacroAssemblerARMCompat :: buildFakeExit Frame ( const Register Sscratch, uint32_t * 
offset) 

{ 

DebugOnly < uint32_t > initialDepth = f ramePushed ( ) ; 
+ DebugOnlyTor<uint32_t> initialDepth = f ramePushed () ; 

uint32_t descriptor = MakeFrameDescriptor (f ramePushed () , IonFrame_OptimizedDS) ; 

Push ( Imm32 (descriptor )) ; // descriptor_ 

enterNoPool ( ) ; 

DebugOnly < uint32_t > of f setBef orePush = currentOf f set ( ) ; 
+ DebugOnlyTor<uint32_t > of f setBef orePush = currentOf f set () ; 
Push(pc); // actually pushes $pc + 8. 

// Consume an additional 4 bytes. The start of the next instruction will 
(3(5) -1492,7 +1492,7 @@ Mac roAssemblerARMCompat :: build Fa keExit Frame ( const Register & 
scratch, uint32_t *o 
bool 

MacroAssemblerARMCompat : : buildOOLFakeExitFrame(void *f akeReturnAddr ) 
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{ 

DebugOnly < uint32_t > initialDepth = f ramePushed () ; 
+ Debug0nlyTor<uint32_t> initialDepth = f ramePushed () ; 

uint32_t descriptor = MakeFrameDescriptor (f ramePushed () , IonFrame_OptimizedJS) ; 

Push ( Imm32 (descriptor )) ; // descriptor_ 
diff --git a/ js/src/ jit/arm/MacroAssembler -arm . h b/js/src/ jit/arm/MacroAssembler - arm . 
h 

index 04d68af . . Ib37eb8 100644 
— a/js/src/jit/arm/MacroAssembler-arm.h 
+++ b/js/src/jit/arm/MacroAssembler-arm.h 
@@ -7,7 +7,7 §§ 

#if ndef jit_arm_MacroAssembler_arm_h 

#def ine jit_arm_MacroAssembler_arm_h 

-#include "mozilla/DebugOnly.h" 
+# include " mo zilla/ DebugOnly To r.h" 

#include " j it/a rm/ Assembler- a rm.h" 
#include " jit/IonCaches . h" 
@@ -15,7 +15,7 @@ 
#include " jit/MoveResolver . h " 
#include "jsopcode.h" 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

namespace js { 
namespace jit { 

(3(5) -258,10 +258,10 @@ class MacroAssemblerARM : public Assembler 

void ma_ldrh ( EDtrAddr addr, Register rt, Index mode = Offset, Condition cc = 
Always ) ; 

void ma_ldrsh ( EDtrAddr addr, Register rt, Index mode = Offset, Condition cc = 
Always ) ; 

void ma_ldrsb ( EDtrAddr addr, Register rt, Index mode = Offset, Condition cc = 
Always ) ; 

void ma_ldrd ( EDtrAddr addr, Register rt, DebugOnly<Register> rt2, Index mode = 
Offset, Condition cc = Always); 
+ void ma_ldrd ( EDtrAddr addr, Register rt, DebugOnlyTor<Register> rt2, Index mode 
= Offset, Condition cc = Always); 
void ma_strb ( Register rt, DTRAddr addr, Index mode = Offset, Condition cc = 
Always ) ; 

void ma_strh ( Register rt, EDtrAddr addr, Index mode = Offset, Condition cc = 
Always ) ; 

void ma_strd ( Register rt, DebugOnly<Register> rt2, EDtrAddr addr, Index mode = 
Offset, Condition cc = Always); 
+ void ma_strd ( Register rt, DebugOnlyTor<Register> rt2, EDtrAddr addr, Index mode 
= Offset, Condition cc = Always); 
// specialty for moving N bits of data, where n == 8,16,32,64 
BufferOffset ma_dataTransf erN ( LoadStore Is, int size, bool IsSigned, 
Register rn, Register rm, Register rt, 
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diff --git a/ js/src/j it/shared/Assembler - shared . h b/j s/src/ jit/shared/Assembler - 

shared . h 
index f c253d8 . . e3ec5ec6 100644 

— a/ j s/src/j it /sha red/Assembler -sha red. h 
+++ b/ j s/src /jit /sha red/Assembler -sha red. h 
@@ -9,7 +9,7 @@ 

#include <limits.h> 

-#include "mozilla/DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 
#include "mozilla/PodOperations.h" 

#include "jit/IonAllocPolicy.h" 
@@ -205,7 +205,7 @@ struct LabelBase 

void operator =(const LabelBase Slabel); 
static int id_count; 
public : 

mozilla :: DebugOnly <int> id; 
+ mozilla :: DebugOnlyTor <int> id; 

static const int32_t INVALID_OFFSET = -1; 

LabelBase() : off set_(INVALID_OFFSET) , bound_(f alse) , id ( id_count++) 
@@ -434,7 +434,7 @@ class CodeOf f setLabel 
class CodeLocationJ ump 
{ 

uint8_t *raw_; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool absolute_; 
void setAbsolute ( ) { 
absolute_ = true; 
§§ -500,7 +500,7 @@ class CodeLocationDump 
class CodeLocationLabel 
{ 

uint8_t *raw_; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

bool absolute_; 

void setAbsolute ( ) { 
absolute_ = true; 

diff --git a/ js/src/j it/shared/CodeGenerator -x86 - shared . cpp b/js/src/ jit/shared/ 

CodeGenerator-x86-shared.cpp 
index 363ce8a . .87e7e81 100644 

— a/ j s/src/ jit/ sha red/CodeGenerator-x86- shared. cpp 
+++ b/ j s/ src/ jit/ sha red/CodeGenerator-x86- shared. cpp 
@@ -4,7 +4,7 @@ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include " mozilla /DebugOnly. h" 
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+# include "mozilla/DebugOnlyTor.h" 

#include "jscntxt.h" 
#include " j scompartment . h " 
§§ -519,7 +519,7 @@ CodeGeneratorX86Shared : : visitOutOf LineUndoALUOperation ( 
OutOf LineUndoALUOperation 
LInstruction *ins = ool - >ins ( ) ; 
Register reg = ToRegister ( ins - >getDef (0) ) ; 

mozilla : : DebugOnly < LAllocation *> lhs = ins - >getOperand (0) ; 
+ mozilla :: DebugOnlyTor < LAllocation *> lhs = ins - >getOperand (0) ; 
LAllocation *rhs = ins - >getOperand (1) ; 

DS_ASSERT( reg == ToRegister ( lhs )) ; 
@(5) -684,7 +684,7 @@ CodeGeneratorX86Shared : : visitDivPowTwoI ( LDivPowTwoI *ins) 
{ 

Register lhs = ToRegister ( ins - >numerator ()) ; 
Register lhsCopy = ToRegister ( ins - >numeratorCopy ()) ; 
mozilla :: DebugOnly <Register> output = ToRegister ( ins - >output ()) ; 
+ mozilla :: DebugOnlyTor<Register> output = ToRegister ( ins - >output ()) ; 
int32_t shift = ins - >shif t ( ) ; 

// We use def ineReuselnput so these should always be the same, which is 
diff --git a/ js/src/ jit/shared/MacroAssembler -x86 - shared . h b/js/src/ jit/shared/ 

MacroAssembler -x86 -shared. h 
index 6d537f 8 . . 8ef 0794 100644 

— a/j s/src/ jit /shared/Mac roAssembler -x86 -shared. h 
+++ b/js/src/ jit /shared/Mac roAssembler -x86 -shared. h 
@@ -7,7 +7,7 @§ 

#if ndef jit_shared_MacroAssembler_x86_shared_h 
#def ine jit_shared_MacroAssembler_x86_shared_h 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla /DebugOnlyTor . h" 

#ifdef JS_CPU_X86 

# include " jit/x86/Assembler -x86 . h " 
(8(5) -455,7 +455,7 @@ class MacroAssemblerX86Shared : public Assembler 

// Builds an exit frame on the stack, with a return address to an internal 
// non-function. Returns offset to be passed to markSaf epointAt ( ) . 
bool buildFakeExitFrame(const Register Sscratch, uint32_t *offset) { 
mozilla :: DebugOnly < uint32_t > initialDepth = f ramePushed ( ) ; 
+ mozilla :: DebugOnlyTor < uint32_t > initialDepth = f ramePushed () ; 

CodeLabel cl; 

mov ( cl . dest ( ) , scratch); 
diff --git a/ js/src/ j it/x64/Assembler -x64 . cpp b/ js/src/ j it/x64/Assembler -x64 . cpp 
index e4f 253b . . 3b641f 3 100644 

— a/js/src/jit/x64/Assembler-x64.cpp 
+++ b/js/src/ jit /x64/ Assembler -x64 .cpp 
@@ -158,7 +158,7 @@ Assembler: :finish() 
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// Zero the extended jumps table. 

for (size_t i = 0; i < jumps_. length () ; 1++) { 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

size_t oldSize = masm.sizeQ; 

#endif 

masm . jmp_rip (0) ; 

diff --git a/ js/src/ jit/x86/CodeGenerator -x86 . cpp b/ js/src/ jit/x86/CodeGenerator -x86 . 
cpp 

index bc4f 736 . . 7f 93a89 100644 

— a/js/src/jit/x86/CodeGenerator-x86.cpp 
+++ b/js/src/jit/x86/CodeGenerator-x86.cpp 
@@ -4,7 +4,7 §§ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "jsnum.h" 

@@ -20,7 +28,7 @(a> 
using namespace js; 
using namespace js::jitj 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

using mozilla: :DoubleExponentBias; 

using mozilla: : DoubleExponentShif t ; 

@@ -105,7 +105,7 @@ CodeGeneratorX86 : : visitBox ( LBox *box) 
{ 

const LDefinition *type = box- >getDef (TYPE_INDEX) ; 

DebugOnly < const LAllocation *> a = box - >getOperand (0) ; 
+ DebugOnlyTor<const LAllocation *> a = box - >getOperand (0) ; 
JS_ASSERT( !a->isConstant()); 

// On x86j the input operand and the output payload have the same 
diff --git a/ js/src/ jsanalyze . cpp b/ js/src/ jsanalyze . cpp 
index b42dd4b . . bl23334 100644 

— a/ js/src/ j sanalyze . cpp 
+++ b/ js/src/ j sanalyze . cpp 
@@ -6,7 +6,7 (3(5) 

#include "jsanalyze . h" 

-#include " mozilla /DebugOnly. h" 
+#include "mozilla/ DebugOnly Tor . h" 
#include "mozilla/PodOperations.h" 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 95 of 154 



#include " j scompartment . h " 
@@ -19,7 +19,7 @@ 
using namespace js; 
using namespace js::analyze; 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor ; 

using mozilla :: PodCopy; 

using mozilla :: PodZero; 

(5)@ -655,7 +655,7 @@ ScriptAnalysis : : analyzeLif etimes ( JSContext *cx) 
loop - >lastBlock = offset; 

if ( code - >exceptionEntry ) { 

DebugOnly<bool> found = false; 
+ DebugOnlyTor<bool> found = false; 

JSTryNote *tn = script_- >trynotes ( ) - >vector ; 

JSTryNote *tnlimit = tn + script_- >trynotes ( ) - >length ; 

for (; tn < tnlimit; tn++) { 
diff --git a/ js/src/ j sapi . cpp b/ js/src/jsapi . cpp 
index 3632a74 . . b91f 07c 100644 
--- a/js/src/ jsapi . cpp 
+++ b/js/src/ j sapi . cpp 

@(5) -1059,7 +1059,7 @@ DSRuntime : : abortlf WrongThread ( ) const 
MOZ_CRASH(); 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
JS_FRIEND_API(void) 

DSRuntime: : assertValidThread ( ) const 
{ 

diff --git a/ js/src/ j sarray . cpp b/j s/src/ j sarray . cpp 
index 12bb291 . . 90dccd6 100644 
— a/]s/src/ j sarray . cpp 
+++ b/js/src/ j sarray . cpp 
@@ -6,7 +6,7 @@ 

#include "jsarray.h" 

-#include "mozilla/DebugOnly.h" 
+# include "mozilla/ DebugOnly To r.h" 

#include "mozilla/ Floatingpoint. h" 

#include " mozilla/ Ma thAlgorithms.h" 

#include "mozilla/Util . h " 
(8(5) -43,7 +43,7 @(5) using namespace js::types; 

using mozilla :: Abs; 
using mozilla :: ArrayLength ; 
-using mozilla :: DebugOnly ; 
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+using mozilla : : DebugOnlyTor; 
using mozilla :: IsNaN; 
using mozilla :: PointerRangeSize ; 

§§ -2851,7 +2851,7 @(3 EnsureNewArrayElements ( DSContext *cx, DSObject *obj, uint32_t 
length ) 

* If ensureElements creates dynamically allocated slots, then having 

* fixedSlots is a waste. 

*/ 

DebugOnly < uint32_t > cap = ob j - >getDenseCapacity ( ) ; 
+ DebugOnlyTor<uint32_t > cap = ob j - >getDenseCapacity ( ) ; 

if ( ! ob j - >ensureElements ( cx, length)) 
return false; 

diff --git a/ js/src/ jsboolinlines . h b/ js/src/ j sboolinlines . h 
index b85d7ea . . c622ac9 100644 
— a/js/src/ j sboolinlines . h 
+++ b/js/src/ j sboolinlines . h 
@@ -7,7 +1,1 §§ 

#ifndef jsboolinlines_h 

#define jsboolinlines_h 

-#include "mozilla/Assertions.h" 
+# include "mozilla /Assert ions To r.h" 
#include "mozilla/ Likely . h" 

#include " js/RootingAPI . h" 
§§ -33,7 +33,7 @@ EmulatesUndef ined ( DSObject *obj) 



{ 



DSObject *actual = MOZ_LIKELY( ! ob] - >isWrapper ( ) ) ? obj : UncheckedUnwrap ( ob] ) ; 

bool emulatesUndef ined = actual - >getClass ()- >emulatesllndef ined () ; 

MOZ_ASSERT_IF (emulatesUndefined, ob j - >type ( ) - >f lags S types:: 
OBDECT_FLAG_EMULATES_UNDE FINED); 

TBB_MOZ_ASSERT_IF(emulatesUndefined, ob j - >type ( ) - >f lags S types:: 
OBJ ECT_FLAG_EMULATES_UNDE FINED); 

return emulatesUndefined; 



diff --git a/ js/src/jscntxt . cpp b/ js/src/ jscntxt . cpp 
index 9el6009f . . 8e6bd31 100644 
— a/]s/src/ j scntxt . cpp 
+++ b/]s/src/ j scntxt . cpp 
@@ -14,7 +14,7 (3(5) 

#include <stdarg.h> 

#include <string.h> 

-#include " mozilla /DebugOnly. h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#ifdef ANDROID 

# include <android/log. h> 
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(5>@ -56,7 +56,7 (3(5) 
using namespace js; 
using namespace js::gc; 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor ; 
using mozilla :: PodArrayZero; 
using mozilla :: PodZero; 
using mozilla :: PointerRangeSize ; 
(5)(5) -616,7 +616,7 @@ j s : : ReportUsageE rror ( 1 SContext *cx, HandleObject callee, const 
char *msg) 
const char *usageStr = "usage"; 

PropertyName *usageAtom = Atomize(cx, usageStr, strlen ( usageStr ) ) - > 

asPropertyName(); 
Rootedld id(cx, NameToId ( usageAtom ) ) ; 

DebugOnly <Shape *> shape = static_cast<Shape *> ( callee - >nativeLookup ( cx , id)); 
+ DebugOnlyTor<Shape *> shape = static_cast <Shape *>( callee - >nativeLookup ( cx, id)) 

y 

JS_ASSERT( ! shape- >configurable()); 

DS_ASSERT( ! shape - >writable ()) ; 

JS_ASSERT( shape ->hasDefaultGetter() ); 
diff --git a/ js/src/ jscntxt . h b/ js/src/ jscntxt . h 
index b7aa4b8 . . 8c992c9 100644 
— a/ js/src/ j scntxt . h 
+++ b/js/src/ j scntxt . h 

(8(5) -676,7 +676,7 @@ struct JSRuntime : public 3S :: shadow :: Runtime , 
* Protects all data that is touched in this process. 

*/ 

PRLock *operationCallbackLock; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

PRThread *operationCallbackOwner ; 
#endif 
public : 

@@ -689,13 +689,13 @@ struct DSRuntime : public DS :: shadow :: Runtime , 

AutoLockForOperationCallback(DSRuntime *rt MOZ_GUARD_OBD ECT_NOTI FIE R_PARAM ) 
: rt(rt) { 

MOZ_GUARD_OBDECT_NOTIFIER_INIT; 
PR_Lock(rt->operationCallbackLock); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

rt - >operationCallbackOwner = PR_GetCurrentThread ( ) ; 

#endif 

} 

~AutoLockForOperationCallback ( ) { 

DS_ASSERT(rt->operationCallbackOwner == PR_GetCurrentThread ( ) ) ; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

rt - >operationCallbackOwner = NULL; 

#endif 

PR_Unlock ( rt->operationCallbackLock); 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 98 of 154 



(5)@ -711,7 +711,7 @@ struct JSRuntime : public DS :: shadow :: Runtime , 

}; 

bool currentThreadOwnsOperationCallbackLock ( ) { 
-#if defined ( DS_THREADSAFE ) && defined (DEBUG) 
+#if defined ( 3S_THREADSAFE ) && ! defined (TOR_NASSERT ) 

return operationCallbackOwner == PR_GetCurrentThread ( ) ; 

#else 

return true; 

(5)@ -746,7 +746,7 @@ struct JSRuntime : public JS :: shadow :: Runtime , 
void clearOwnerThread ( ) ; 
void setOwnerThread ( ) ; 

JS_FRIEND_API(void) abortlfWrongThread ( ) const; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

DS_FRIEND_API(void) assertValidThread ( ) const; 
#else 

void assertValidThread ( ) const {} 
§§ -893,7 +893,7 @@ struct JSRuntime : public JS :: shadow :: Runtime , 
I* The request depth for this thread. */ 
unsigned requestDepth ; 

-# ifdef DEBUG 
+#ifndef TOR_NASSERT 

unsigned checkRequestDepth ; 

# endif 

#endif 

§§ -989,7 +989,7 @@ struct DSRuntime : public 3S :: shadow :: Runtime , 

*/ 

bool gcStrictCompartmentChecking; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

/* 

* If this is 0, all cross -compartment proxies must be registered in the 

* wrapper map. This checking must be disabled temporarily while creating 
§@ -1037,7 +1037,7 @@ struct DSRuntime : public DS :: shadow :: Runtime , 

*/ 

js: :gc: :ArenaHeader *gcArenasAllocatedDuringSweep; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

js : : gc : : MarkingValidator *gcMarkingValidator; 
#endif 

(S)@ -1367,7 +1367,7 @@ struct JSRuntime : public JS :: shadow :: Runtime, 

js: : ScriptDataTable scriptDataTable; 

-#ifdef DEBUG 
+#ifndef TOR NASSERT 
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size_t noGCOrAllocationCheck; 
#endif 

@@ -1505,7 +1505,7 @@ struct DSRuntime : public JS :: shadow :: Runtime , 
#endif 
} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
public : 

js: : AutoEnterPolicy *enteredPolicy ; 
#endif 

@@ -1718,7 +1718,7 @(5) struct DSContext : js : : ThreadSaf eContext , 
bool hasEnteredCompartment ( ) const { 
return enterCompartmentDepth_ > 0; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

unsigned getEnterCompartmentDepth ( ) const { 
return enterCompartmentDepth_; 

} 

§§ -1906,7 +1906,7 @@ struct DSContext : js :: ThreadSaf eContext , 

DSAtomState S names() { return runtime ()- >atomState; } 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

/* 

* Controls whether a quadratic - complexity assertion is performed during 

* stack iteration; defaults to true. 

@@ -2420,14 +2420,14 @@ class AutoOb jectHashSet : public AutoHashSetRooterOSObject 



class AutoAssertNoException 
{ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

DSContext *cx; 

bool hadException ; 
#endif 

public : 

AutoAssertNoException (JSContext *cx) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
: cx(cx), 

had Exception (cx-> is Except ionPending()) 

#endif 

(8(5) -2497,7 +2497,7 @@ DSBool intrinsic_HaveSameClass ( DSContext *cx, unsigned argc, 
Value *vp); 

DSBool intrinsic_ShouldForceSequential ( JSContext *cx, unsigned argc, Value *vp); 
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DSBool int rinsic_NewParallelArray ( JSContext *cx, unsigned argc, Value *vp); 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

JSBool int rinsic_Dump ( DSContext *cx, unsigned argc, Value *vp); 

#endif 

diff --git a/ js/src/ jscntxtinlines . h b/js/src/ jscntxtinlines . h 
index 2838b60 . . b09ed88 100644 

— a/j s/src/ j scntxtinlines . h 
+++ b/js/src/ j scntxtinlines . h 

§§ -314,7 +314,7 (3(3 CallDSNativepSContext *cx, Native native, const CallArgs Sargs) 
{ 

JS_CHECK_RECURSION(cx, return false); 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

bool alreadyThrowing = cx- >isExceptionPending ( ) ; 
#endif 

assertSameCompartment (cx , args); 
§§ -330,7 +330,7 @@ STATIC_PRECONDITION_ASSUME(ubound(args.argv_) >= argc) 
3S_ALWAYS_INLINE bool 

CallNativelmpl ( JSContext *cx, Nativelmpl impl, const CallArgs Sargs) 
{ 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

bool alreadyThrowing = cx - >isExceptionPending ( ) ; 
#endif 

assertSameCompartment (cx, args); 
@(5) -346,7 +346,7 @@ STATIC_PRECONDITION ( ubound ( args . argv_) >= argc) 
JS_ALWAYS_INLINE bool 

Call JSNativeConstructor ( JSContext *cx, Native native, const CallArgs Sargs) 
{ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

RootedObject callee(cx, Sargs . callee ()) ; 
#endif 

diff --git a/ js/src/ jscompartment . cpp b/js/src/ j scompartment . cpp 
index c448el0 . . Ia668ef 100644 

— a/ js/src/ j scompartment . cpp 
+++ b/js/src/ j scompartment . cpp 
@@ -6,7 +6,7 @@ 

#include " j scompartment . h " 

-#include "mozilla/DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include "jscntxt.h" 
#include "jsgc.h" 
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(5>@ -30,7 +30,7 @@ 
using namespace js; 
using namespace js::gc; 

-using mozilla :: DebugOnly ; 
+using mozilla : : DebugOnlyTor ; 

JSCompartment : : JSCompartment ( Zone *zone, const JS : : CompartmentOptions Soptions = JS 
: :CompartmentOptions()) 
: zone_(zone), 

(6)@ -270,7 +270,7 @@ JSCompa rtment : : wrap ( J SContext *cx, MutableHandleValue vp, 
HandleObject existingA 
if (WrapperMap : : Ptr p = crossCompartmentWrappers . lookup ( key ) ) { 
vp . set (p- >value ) ; 
if (vp.isObjectQ) { 

DebugOnly< JSObject *> obj = &vp . toOb ject ( ) ; 
+ DebugOnlyTor< JSObject *> obj = &vp . toObject ( ) ; 

JS_ASSERT (ob j ->isCrossCompartmentWrapper()); 
J S_ASSERT (obj->getParent() == global); 

} 

diff --git a/ js/src/ jsgc . cpp b/ js/src/ jsgc . cpp 
index 53a636e . . 8a8496f 100644 

--- a/ js/src/ jsgc . cpp 
+++ b/js/src/ jsgc . cpp 
@@ -10,7 +10,7 §§ 

#include "prmjtime.h" 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla /DebugOnlyTor . h" 
#include "mozilla/Util . h " 

/* 

§§ -89,7 +89,7 @@ using namespace js; 
using namespace js::gc; 

using mozilla :: Array End ; 
-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

using mozilla :: Maybe; 

/* Perform a Full GC every 20 seconds if MaybeGC is called */ 
@@ -300,7 +300,7 @@ Arena :: finalize( FreeOp *fop, AllocKind thingKind, size_t 
thingSize ) 
FreeSpan *newListTail = &newListHead ; 
uintptr_t newFreeSpanStart = 0; 
bool allClear = true; 
DebugOnly < size_t > nmarked = 0; 
+ DebugOnlyTor < size_t > nmarked = 0; 
for (;; thing += thingSize) { 

JS_ASSERT(thing <= lastByte + 1); 
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if (thing == next Free . first ) { 
§§ -612,7 +612,7 @@ Chunk: : prepareToBeFreed ( DSRuntime *rt) 

rt->gcNumArenasFreeCommitted -= inf o . numArenasF reeCommitted ; 
rt->gcStats . count (gc stats : : STAT_DESTROY_CHUNK) ; 

-#ifdef DEBUG 
+#ifndef T0R_NASSERT 
/* 

* Let FreeChunkList detect a missing prepareToBeFreed call before it 

* frees chunk. 

@@ -1774,7 +1774,7 @@ void 
GCMarker : : checkZone( void *p) 
{ 

DS_ASSERT(started); 

DebugOnly<Cell *> cell = static_cast <Cell *>(p); 
+ DebugOnlyTor<Cell *> cell = static_cast<Cell *>(p); 

JS_ASSERT_IF (cell - >isTenured ( ) , cell - >tenuredZone ( )->isCollecting()); 

} 

#endif 

diff --git a/ js/src/ j sgc . h b/ js/src/ j sgc . h 
index 4bf 5c2f . . 92ebla4 100644 
--- a/js/src/ jsgc . h 
+++ b/js/src/ j sgc . h 
@@ -9,7 +9,7 @@ 

#ifndef jsgc_h 

#define jsgc_h 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/Util . h " 

#include "jsalloc.h" 
§@ -1138,12 +1138,12 @@ struct GCMarker : public JSTracer { 

/* The color is only applied to objects and functions. */ 
uint32_t color; 

mozilla : : DebugOnly<bool> started; 
+ mozilla :: DebugOnlyTor<bool> started; 

/* Pointer to the top of the stack of arenas we are delaying marking on. */ 
js: : gc : :ArenaHeader *unmarkedArenaStackTop; 
/* Count of arenas that are currently in the stack. */ 
mozilla :: DebugOnly<size_t> markLaterArenas; 
+ mozilla :: DebugOnlyTor<size_t> markLaterArenas; 

bool grayFailed; 

}; 

diff --git a/ js/src/ jsgcinlines . h b/ js/src/ jsgcinlines . h 
index 7e95862 . . e2880ea 100644 
— a/ js/src/ j sgcinlines . h 
+++ b/ js/src/ j sgcinlines . h 
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@@ -361,7 +361,7 @@ class Celllter : public Celllterlmpl 
{ 

ArenaLists *lists; 
AllocKind kind; 
-#ifdef DEBUG 
+#ifndef T0R_NASSERT 
size_t *counter; 
#endif 
public : 

@@ -386,7 +386,7 §@ class Celllter : public Celllterlmpl 
JS_ASSERT( ! zone - > rt - >isHeapBusy ( ) ); 
lists - > copy Free List ToArena ( kind ) ; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

counter = Szone - >rt - >noGCOrAllocationCheck; 

++*counter; 

#endif 

@@ -394,7 +394,7 §@ class Celllter : public Celllterlmpl 
} 

~CellIter() { 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

JS_ASSERT(*counter > 0); 

- -*counter ; 

#endif 

diff --git a/ js/src/ jsinf er . cpp b/js/src/ j sinf er . cpp 
index e961f 11 . . bd4850b 100644 
— a/js/src/jsinfer. cpp 
+++ b/js/src/ j sinf er . cpp 
@@ -6,7 +6,7 @@ 

#include "jsinfer.h" 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/PodOperations.h" 

#include "jsapi.h" 
(S@ -47,7 +47,7 @(S) using namespace js::gc; 
using namespace js::types; 
using namespace js:: analyze; 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

using mozilla :: PodArrayZero; 

using mozilla :: PodCopy; 

using mozilla :: PodZero; 
@@ -119,7 +119,7 @@ static bool Inf erSpewActive ( SpewChannel channel) 
return active [ channel ] ; 
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-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

static bool Inf erSpewColorable ( ) 
{ 

@@ -1768,7 +1768,7 @@ Stac kTy peSet : : get KnownTypeTag ( ) 

* that the exact tag is unknown, as it will stay unknown as more types are 

* added to the set. 

*/ 

DebugOnly<bool> empty = flags == 0 && baseObjectCount ( ) == 0; 
+ DebugOnlyTor <bool > empty = flags == 0 && baseObjectCount ( ) == 0; 
DS_ASSERT_IF (empty , type == 3SVAL_TYPE_UNKN0WN ) ; 

return type; 

@@ -1795,7 +1795,7 @@ HeapTypeSet : : getKnownTypeTag ( DSContext *cx) 

* that the exact tag is unknown, as it will stay unknown as more types are 

* added to the set. 

*/ 

DebugOnly<bool> empty = flags == 0 && baseObjectCount ( ) == 0; 
+ DebugOnlyTor <bool > empty = flags == 0 && baseObjectCount ( ) == 0; 
DS_ASSERT_IF (empty , type == 3SVAL_TYPE_UNKN0WN ) ; 

return type; 

@(5) -6003,7 +6003,7 @(5) TypeObjectEntry :: match (TypeObject *key, const Lookup &lookup) 
return key->proto == lookup . proto . raw( ) && key->clasp == lookup . clasp; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool 

JSObject :: hasNewType (Class *clasp, TypeObject *type) 
{ 

diff --git a/ js/src/ jsinf er . h b/ js/src/ jsinf er . h 
index 61476d8 . . 8f 9f 47d 100644 

— a/ js/src/ j sinfer . h 
+++ b/ js/src/ j sinfer . h 

@§ -1475,7 +1475,7 @@ enum SpewChannel { 
SPEW_COUNT 

}; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

const char * Inf erSpewColorReset ( ) ; 

const char * InferSpewColor(TypeConstraint *constraint) ; 
diff --git a/ js/src/ jsinf erinlines . h b/js/src/ jsinf erinlines . h 
index d4c57al . . f 3bcb86 100644 

— a/ js/src/ j sinf erinlines . h 
+++ b/js/src/ j sinf erinlines . h 
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@@ -122,7 +122,7 @@ Compiler-Output : :isValid() const 
if ( ! script ) 

return false; 

-#if defined(DEBUG) && defined ( JS_I0N ) 

+#if ! def ined(T0R_NASSERT) && defined ( DS_I0N) 

TypeCompartment Stypes = script - >compartment ()- >types ; 
#endif 

diff --git a/ js/src/ jsmemorymetrics . cpp b/ js/src/ jsmemorymetrics . cpp 
index 5851e0c .. 7291799 100644 
— a/js/src/ j smemorymetrics . cpp 
+++ b/js/src/j smemorymetrics. cpp 
@@ -6,7 +6,7 @@ 

#include " js/MemoryMetrics . h" 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "jsapi.h" 
#include "jscntxt.h" 
(5>@ -21,7 +21,7 @@ 

#include " j sob j inlines . h " 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

using namespace js; 

@@ -328,7 +328,7 (3(3 3S : : CollectRuntimeStats ( JSRuntime *rt, RuntimeStats *rtStats, 
ObjectPrivateVisit 
// Take the "explicit/ js/runtime/" measurements. 

rt->sizeOfIncludingThis(rt Stats - >mallocSizeOf _, &rtStats->runtime); 

DebugOnly < size_t > totalArenaSize = 0; 
+ DebugOnlyTor<size_t> totalArenaSize = 0; 

rtStats - >gcHeapGcThings = 0; 

for (size_t i = 0; i < rtStats - >zoneStatsVector . length () ; i++) { 
@@ -336,7 +336,7 @@ 3S : : CollectRuntimeStats ( JSRuntime *rt, RuntimeStats *rtStats, 
ObjectPrivateVisit 

rtStats ->zTotals .add (zStats); 

rtStats - >gcHeapGcThings += zStats . GCHeapThingsSize ( ) ; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

totalArenaSize += zStats . gcHeapArenaAdmin + zStats . gcHeapUnusedGcThings ; 

#endif 
} 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 106 of 154 



@@ -348,7 +348,7 (3(3 JS : : CollectRuntimeStats ( DSRuntime *rt, RuntimeStats *rtStats, 
ObjectPrivateVisit 

rtStats - >gcHeapGcThings += cStats . GCHeapThingsSize ( ) ; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

totalArenaSize += rtStats - >gcHeapGcThings ; 

DS_ASSERT(totalArenaSize % gc : : ArenaSize == 0); 
#endif 

diff --git a/ js/src/jsob j . h b/js/src/ jsobj . h 
index 7e4e534 . . ebf eel8 100644 

— a/ js/src/ j sob j . h 
+++ b/js/src/ j sob j . h 

(3(3 -417,7 +417,7 (3(3 class DSObject : public j s : : Ob jectlmpl 

j s :: types :: TypeObject *getNewType ( JSContext *cx, js::Class *clasp, JSFunction 
fun = NULL); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

bool hasNewType ( j s :: Class *clasp, j s :: types :: TypeObject *newType); 
#endif 

diff --git a/ js/src/ jsonparser . h b/js/src/jsonparser.h 
index ad4823d . . 8f lc691 100644 

— a/js/src/ j sonparser . h 
+++ b/js/src/ j sonparser . h 

(3(3 -100,7 +100,7 @@ class MOZ_STACK_CLASS JSONParser : private AutoGCRooter 
Vector<ElementVector*, 5> f reeElements; 
Vector<PropertyVector*, 5> f reeProperties ; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
Token lastToken; 
#endif 

(3@ -120,7 +120,7 @@ class MOZ_STACK_CLASS DSONParser : private AutoGCRooter 

stack( cx) , 

freeElements(cx), 

freeProperties(cx) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

, lastToken ( Error ) 

#endif 
{ 

(3@ -162,7 +162,7 @@ class MOZ_STACK_CLASS DSONParser : private AutoGCRooter 
Token token(Token t) { 

DS_ASSERT(t != String); 

DS_ASSERT(t != Number); 
-#ifdef DEBUG 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 107 of 154 



+#ifndef T0R_NASSERT 

lastToken = t; 

#endif 

return t; 

@@ -170,7 +170,7 @@ class MOZ_STACK_CLASS JSONParser : private AutoGCRooter 

Token stringToken ( DSString *str) { 

this->v = StringValue ( str) ; 
-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

lastToken = String; 

#endif 

return String; 

@@ -178,7 +178,7 (3(3 class MOZ_STACK_CLASS JSONParser : private AutoGCRooter 

Token numberToken ( double d) { 

this->v = NumberValue(d) ; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

lastToken = Number; 

#endif 

return Number; 

diff --git a/ js/src/ jsopcode . cpp b/ js/src/ j sopcode . cpp 
index facb4cf .. 313735a 100644 
— a/js/src/ j sopcode . cpp 
+++ b/js/src/ j sopcode . cpp 

(3(3 -735,7 +735,7 (3(3 Sprinter :: realloc_( size_t newSize) 

Sprinter: : Sprinter (HSContext *cx) 
: context(cx), 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

initialized (false), 
#endif 

base(NULL), size(0), offset(0), reportedOOM(false) 
(3(3 -743,7 +743,7 (3(3 Sprinter :: Sprinter ( DSContext *cx) 

Sprinter: :~Sprinter() 
{ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
if (initialized) 

checklnvariantsQ; 

#endif 

(3(3 -757,7 +757,7 (3(3 Sprinter :: init ( ) 

base = (char *) context - >malloc_( DefaultSize ) ; 

if (Ibase) 

return false; 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

initialized = true; 
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#endif 

*base = 0; 

diff --git a/ js/src/ jsopcode . h b/js/src/ jsopcode . h 
index 77f 5141 . . aa4be3b 100644 

— a/ js/src/ j sopcode . h 
+++ b/js/src/ j sopcode . h 

@@ -316,7 +316,7 @@ class Sprinter 

private : 

static const size_t DefaultSize; 
-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

bool initialized; /* true if this is initialized, use for 

debug builds */ 

#endif 

char *base; /* malloc'd buffer address */ 

@@ -529,7 +529,7 @@ class PCCounts 
{ 

friend class ::JSScript; 

double *counts; 
-#ifdef DEBUG 
+#ifndef T0R_NASSERT 

size_t capacity; 
#elif DS_BITS_PER_WORD == 32 

void *padding; 

diff --git a/ js/src/jsref lect . cpp b/js/src/jsref lect . cpp 
index 59f 6b89 . . cb29ecb 100644 

— a/ js/src/ j sref lect . cpp 
+++ b/js/src/ j sref lect . cpp 
@@ -10,7 +10,7 (3(5) 

#include <stdlib.h> 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 
#include "mozilla/Util . h " 

#include "jspubtd.h" 
(S)@ -30,7 +30,7 @(S) using namespace js; 
using namespace js : : f rontend; 

using mozilla :: Array Length ; 
-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

char const * const js : : aopNames [ ] = { 
"=", /* AOP_ASSIGN */ 
@@ -1480,7 +1480,7 @@ class ASTSerializer 
JSContext *cx; 
Parser <FullParseHandler> * parser; 
NodeBuilder builder; 
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DebugOnly < uint32_t > lineno; 
+ DebugOnlyTor<uint32_t > lineno; 

Value unrootedAtomContents ( JSAtom *atom) { 

return StringValue ( atom ? atom : cx- >names (). empty ) ; 
diff --git a/ js/src/ j sscript . h b/js/src/ jsscript . h 
index 9b4c5cl . . 8d00773 100644 

— a/js/src/ j sscript . h 
+++ b/js/src/ j sscript . h 

(5>(5) -470,7 +470,7 @@ class JSScript : public js::gc::Cell 

* or has had backedges taken. Reset if the 

* script's JIT code is forcibly discarded. */ 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

// Unique identifier within the compartment for this script, used for 

// printing analysis information. 

uint32_t id_; 
@@ -762,7 +762,7 @@ class JSScript : public js::gc::Cell 

/* Return whether this script was compiled for 'eval' */ 

bool isForEval() { return isCachedEval || isActiveEval ; } 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
unsigned id(); 
#else 

unsigned id() { return 0; } 
diff --git a/ js/src/ jstypedarray . cpp b/js/src/ jstypedarray . cpp 
index 9d02d06 . . b85e768 100644 

— a/js/src/jstypedarray.cpp 
+++ b/j s/src/ j stypedarray . cpp 

(51(5) -738,7 +738,7 (a)(5) ArrayBuf f erObject : : obj_trace ( JSTracer *trc, JSObject *obj) 
Set Buff erLink(f irstView, *buf List) ; 
*bufList = ob j ; 
} else { 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

bool found = false; 

for (JSObject *p = ob j - >compartment ( ) - >gc LiveArrayBuf f ers ; p; p 
Buff erLink(p) ) { 
if (p == obj) 
(3(5) -1808,7 +1808,7 @(5) class TypedArrayTemplate 
return NULL; 
obj -> set LastPropertyInfallible( empty); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

uint32_t buf f erByteLength = buf f er - >byteLength ( ) ; 

uint32_t arrayByteLength = static_cast < uint32_t > ( byteLengthValue (ob j ) . 
to!nt32()); 
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uint32_t arrayByteOf f set = static_cast < uint32_t > ( byteOf f setValue (ob j ) . 
toInt32())j 

§§ -2045,7 +2045,7 @@ class TypedArrayTemplate 

uint32_t byteSrc = srcBegin * sizeof (NativeType) ; 
uint32_t byteSize = nelts * sizeof (NativeType) ; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

uint32_t viewByteLength = byteLengthValue (tarray ) . toInt32 ( ) ; 

3S_ASSERT( byteDest <= viewByteLength); 

DS_ASSERT( byteSrc <= viewByteLength); 
§§ -2369,7 +2369,7 @§ class TypedArrayTemplate 

SkipRoot skipDest(cx, Sdest); 

SkipRoot skipSrc(cx, &src); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

JSRuntime *runtime = cx- >runtime ( ) ; 

uint64_t gcNumber = runtime - >gcNumber; 

#endif 

diff --git a/ js/src/ jsutil . cpp b/js/src/ jsutil . cpp 
index bcabl24 . . e29d3f b 100644 

— a/j s/src/ j sutil . cpp 
+++ b/js/src/ j sutil . cpp 
@@ -8,7 +8,7 (3(5) 

#include "jsutil. h" 

-#include "mozilla/Assertions.h" 
+# include " mozilla/ Assert ions To r.h" 
#include "mozilla/PodOperations.h" 

#include <stdio.h> 

§§ -154,8 +154,8 (3(3 JS_STATIC_ASSERT(sizeof (void *) == sizeof(void (*)())); 
3S_PUBLIC_API(void) 

JS_Assert ( const char *s, const char *file, int In) 
{ 

MOZ_ReportAssertionFailure(s, file, In); 
MOZ_CRASH(); 

+ TBB_MOZ_ReportAssertionFailure(s, file, In); 
+ TBB_MOZ_CRASH(); 
} 

#ifdef DS_BASIC_STATS 
diff --git a/ js/src/ j sworkers . cpp b/ js/src/ jsworkers . cpp 
index 57bl6ea .. 277534b 100644 

— a/js/src/ j sworkers . cpp 
+++ b/js/src/ j sworkers . cpp 
@@ -6,7 +6,7 @@ 

#include " jsworkers . h" 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 111 of 154 



-#include "mozilla/DebugOnly.h" 
+#include "mozilla/DebugOnlyTor . h" 

#include "prmjtime.h" 

§@ -18,7 +18,7 @@ 

using namespace js; 

-using mozilla : : DebugOnly ; 
+using mozilla :: DebugOnlyTor; 

#ifdef J S_PARAL L E L_COHPI LATION 

@@ -230,7 +238,7 @@ WorkerThreadState : : loc k ( ) 
{ 

3S_ASSERT( !isLocked())j 
PR_Lock(workerLock); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

lockOwner = PR_GetCurrentThread ( ) ; 
#endif 
} 

@@ -239,13 +239,13 @@ void 
WorkerThreadState: :unlock() 
{ 

DS_ASSERT( isLockedQ); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

lockOwner = NULL; 
#endif 

PR_Un lock (worker Lock) ; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool 

WorkerThreadState: :isLocked() 
{ 

@@ -257,14 +257,14 @@ void 
WorkerThreadState :: wait ( CondVar which, uint32_t millis) 
{ 

DS_ASSERT( isLocked()); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

lockOwner = NULL; 
#endif 

DebugOnly<PRStatus> status = 
+ DebugOnlyTor<PRStatus > status = 

PR_WaitCondVar( (which == MAIN) ? mainWakeup : helperWakeup , 
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millis ? PR_MillisecondsToInterval (millis ) : 
PR_INTERVAL_NO_TIMEOUT ) ; 
]S_ASSERT(status == PR_SUCCESS); 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

lockOwner = PR_GetCurrentThread ( ) ; 
#endif 
} 

§§ -389,7 +389,7 (a)(5) WorkerThread : : handlelonWorkload (WorkerThreadState Sstate) 
ionBuilder = state . ionWorklist . popCopy () ; 

DebugOnly < jit : : ExecutionMode > executionMode = ionBuilder - >info (). executionMode ( ) 

+ DebugOnlyTor< jit : : ExecutionMode > executionMode = ionBuilder - >info( ) . 
executionMode ( ) ; 
DS_ASSERT( GetlonScript ( ionBuilder - >script () , executionMode) == 
ION_COMPILING_SCRIPT) ; 

state . unlock ( ) ; 
diff --git a/ js/src/ j sworkers . h b/ js/src/ jsworkers . h 
index f 29aa81 . . c4ae0b9 100644 

— a/ js/src/ j sworkers . h 
+++ b/ js/src/ j sworkers . h 

@@ -69,7 +69,7 @@ class WorkerThreadState 
void lock(); 
void unlock(); 

-# ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool isLocked(); 

# endif 

@@ -112,7 +112,7 @@ class WorkerThreadState 

*/ 

PRLock *workerLock; 

-# ifdef DEBUG 
+#ifndef TOR_NASSERT 

PRThread *lockOwner; 

# endif 

diff --git a/ js/src/shell/ js . cpp b/ js/src/shell/ js . cpp 
index 7aa9380 . . 120b328 100644 

— a/ js/src/shell/ js . cpp 
+++ b/ js/src/shell/ js . cpp 
(5)@ -13,7 +13,7 (3(5) 

#include <stdlib.h> 
#include <string.h> 

-#include "mozilla/DebugOnly.h" 
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+# include "mozilla/DebugOnlyTor.h" 
#include "mozilla/GuardObjects.h" 
#include "mozilla/Util . h " 

@@ -2899,7 +2899,7 @@ WatchdogMain ( void *arg) 

uint64_t sleepDuration = PR_INTERVAL_NO_TIMEOUT; 
if (gWatchdogHasTimeout ) 

sleepDuration = PR_TicksPerSecond ( ) / 10; 
mozilla : : DebugOnly <PRStatus > status = 
+ mozilla :: DebugOnlyTor<PRStatus > status = 

PR_WaitCondVar(gWatchdogWakeup , sleepDuration); 
DS_ASSERT(status == PR_SUCCESS); 

} 

(g)(5) -4537,7 +4537,7 @@ dom_genericSetter ( DSContext * cx, unsigned argc, 3S::Value *vp); 
static JSBool 

dom_genericMethod ( DSContext *cx, unsigned argc, 3S::Value *vp); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

static DSClass *GetDomClass ( ) ; 

#endif 

@@ -4628,7 +4628,7 (a)(5) static DSClass dom_class = { 
DSCLASS_NO_INTERNAL_MEMBERS 

}; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
static JSClass *GetDomClass ( ) { 
return &dom_class; 

} 

diff --git a/ js/src/vm/GlobalObject . h b/ js/src/vm/GlobalOb ject . h 
index 1869ab9 .. 2927367 100644 
— a/ js/src/vm/GlobalObject . h 
+++ b/ js/src/vm/GlobalObject . h 
@@ -7,7 +7,7 @@ 

#ifndef vm_GlobalObject_h 

#define vm_Global0b3'ect_h 

-#include " mozilla /DebugOnly. h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include "jsarray.h" 
#include "jsbool.h" 
@@ -382,7 +382,7 @@ class GlobalObject : public DSObject 
return true; 

if ( ! cx- >runtime ( ) - >cloneSelf HostedValue (cx, name, value)) 
return false; 

mozilla :: DebugOnly<bool > ok = JS_Def inePropertyByld (cx, holder, id, value, 
NULL, NULL, 0); 
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+ mozilla : : DebugOnlyTor<bool> ok = JS_Def inePropertyByld ( cx, holder, id, value 

, NULL , NULL, 0); 

DS_ASSERT(ok) ; 
return true; 

} 

diff --git a/ js/src/vm/Interpreter . cpp b/js/src/vm/Interpreter . cpp 
index 30a7627 . . a6af 6ca 100644 

— a/ js/src/vm/Interpreter . cpp 
+++ b/ js/src/vm/Interpreter . cpp 
@@ -10,7 +10,7 (3(5) 

#include " Interpreter . h " 

-#include " mozilla /DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include "mozilla/ Floatingpoint. h" 

#include "mozilla/PodOperations.h" 

@@ -58,7 +58,7 (5)(5) using namespace js; 
using namespace js::gc; 
using namespace js::types; 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor; 
using mozilla :: PodCopy; 

/* Some objects (e.g., With) delegate 'this' to another object. */ 
§§ -1198,7 +1198,7 @(5) Interpret(DSContext *cx, RunState Sstate) 

Rootedld rootld0(cx); 

RootedShape rootShape0(cx) ; 

RootedScript rootScript0(cx) ; 

Debug0nly<uint32_t> blockDepth; 
+ DebugOnlyTor<uint32_t > blockDepth; 

#if DS_HAS_GENERATORS 

if (3S_UNLIKELY(regs.fp()->isGeneratorFrame())) { 
diff --git a/ js/src/vm/Monitor . h b/ js/src/vm/Monitor . h 
index 9aaa504 . . c814aa2 100644 

— a/ js/src/vm/Monitor . h 
+++ b/ js/src/vm/Monitor . h 

@@ -69,7 +69,7 @(3 class AutoLockMonitor 

void wait() { 
#ifdef DS_THREADSAFE 

mozilla :: DebugOnly<PRStatus > status = 
+ mozilla :: DebugOnlyTor < PRStatus > status = 

PR_WaitCondVar ( monitor. condVar_, PR_INTERVAL_NO_TIMEOUT) ; 
JS_ASSERT( status == PR_SUCCESS); 

#endif 

diff --git a/ js/src/vm/NumericConversions . h b/ js/src/vm/NumericConversions . h 
index 61511a0 . . a75dcbb 100644 
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— a/js/src/vm/NumericConversions.h 
+++ b/js/src/vm/NumericConversions.h 
@@ -7,7 +7,7 (3(5) 

#ifndef vm_NumericConversions_h 
#define vm_NumericConversions_h 

-#include "mozilla/Assertions.h" 
+# include " mo zilla/ Assert ions To r.h" 

#include "mozilla/Casting . h" 

#include "mozilla/FloatingPoint.h" 

#include "mo zilla/ TypeTraits.h" 
(8(5) -38,7 +38,7 (3(3 template<typename ResultType> 

inline ResultType 

Tollintwidth(double d) 

{ 

MOZ_STATIC_ASSERT(mozilla : : I sUnsigned< ResultType > : : value, 
+ TBB_MOZ_STATIC_ASSERT(mozilla : : IsUnsigned<ResultType> : : value, 

"ResultType must be an unsigned type"); 

uint64_t bits = mozilla : : BitwiseCast < uint64_t > (d ) ; 
@@ -69,7 +69,7 @§ ToUintWidth(double d) 

// The significand contains the bits that will determine the final result. 
// Shift those bits left or right, according to the exponent, to their 
// locations in the unsigned binary representation of f loor ( abs (d ) ) . 
MOZ_STATIC_ASSERT(sizeof (ResultType) <= sizeof (uint64_t) , 
+ TBB_MOZ_STATIC_ASSERT( sizeof (ResultType) <= sizeof ( uint64_t ) , 

" Left - shifting below would lose upper bits"); 
ResultType result = (exponent > mozilla :: DoubleExponentShif t ) 
? ResultType ( bits << (exponent - mozilla:: 
DoubleExponentShift)) 
(3(3 -113,7 +113,7 (3(5) template<typename ResultType> 
inline ResultType 
ToIntWidth(double d) 
{ 

MOZ_STATIC_ASSERT( mozilla : : I sSigned< ResultType > : : value, 
+ TBB_MOZ_STATIC_ASSERT( mozilla : : I sSigned< ResultType > : : value, 

"ResultType must be a signed type"); 

const ResultType MaxValue = (1ULL << (CHAR_BIT * sizeof (ResultType) - 1)) - 1; 
diff --git a/ js/src/vm/Ob jectlmpl - inl . h b/ js/src/vm/Objectlmpl - inl . h 
index c5a4b4a . . 560be3d 100644 

— a/ js/src/vm/Ob jectlmpl - inl . h 
+++ b/ js/src/vm /Ob jectlmpl- inl. h 
(3(3 -7,7 +7,7 (3(5) 

#ifndef vm_Ob jectlmpl_inl_h 
#define vm_Ob jectlmpl_inl_h 

-#include "mozilla/Assertions.h" 
+# include "mo zilla /Assert ions To r.h" 

#include " j scompartment . h " 
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#include "jsgc.h" 
@@ -126,35 +126,35 @@ j s :: Ob jectlmpl :: is Extensible ( ) const 
inline uint32_t 

js : :ObjectImpl: :getDenseInitializedLength() 
{ 

MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(isNative()); 

return get ElementsHeader()-> initialized Length; 

} 

inline uint32_t 

js: :ObjectImpl: :getDenseCapacity() 
{ 

MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(isNative()); 

return getElementsHeader()->capacity; 

} 

inline js : : HeapSlotArray 

js: :ObjectImpl: :getDenseElements() 

{ 

MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(isNative()); 

return HeapSlotArray ( elements ) ; 

} 

inline const js::Value & 

js: :ObjectImpl: :getDenseElement ( uint32_t idx ) 
{ 

MOZ_ASSERT(isNative( ) && idx < getDenselnitializedLength ( ) ) ; 
+ TBB_MOZ_ASSERT(isNative() S& idx < getDenselnitializedLength ()) ; 
return elements [ idx] ; 

} 

inline bool 

js: :ObjectImpl: :containsDenseElement( uint32_t idx) 
{ 

MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(isNative()); 

return idx < getDenselnitializedLength ( ) && ! elements [ idx ]. isHagic ( 
JS_ELEMENTS_HOLE ) ; 

} 

@@ -163,7 +163,7 @@ js: :ObjectImpl: : getSlotRangeUnchecked ( uint32_t start, uint32_t 
length , 

HeapSlot **f ixedStart , HeapSlot **fixedEnd, 
HeapSlot **slotsStart , HeapSlot **slotsEnd) 

{ 

MOZ_ASSE RT (start + length >= start); 
+ TBB_MOZ_ASSERT( start + length >= start); 
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uint32_t fixed = numFixedSlots ( ) ; 

if (start < fixed) { 
-190,7 +190,7 @@ js : : Objectlmpl : : getSlotRange ( uint32_t start, uint32_t length, 

HeapSlot **f ixedStart , HeapSlot **fixedEnd, 
HeapSlot ** slotsStart , HeapSlot **slotsEnd) 

MOZ_ASSERT(slotInRange(start + length, SENTINEL_AL LOWED) ) ; 
TBB_MOZ_ASSERT(slotInRange(start + length, SENTINEL_AL LOWED) ) ; 

getSlotRangeUnchecked ( start , length, fixedStart, fixedEnd, slotsStart, slotsEnd) 



§@ -220,20 +220,20 @@ j s : : Ob j ectlmpl : : isProxy ( ) const 
inline js::HeapSlot S 

js : : Objectlmpl : : nativeGetSlotRef ( uint32_t slot ) 
{ 

MOZ_ASSERT (isNativeQ); 

MOZ_ASSERT(slot < slotSpan()); 
+ TBB_MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(slot < slotSpan()); 

return getSlotRef ( slot ) ; 

} 

inline const js::Value & 

js : : Ob jectlmpl : : nativeGetSlot ( uint32_t slot) const 
{ 

MOZ_ASSERT(isNative()); 

MOZ_ASSERT(slot < slotSpan()); 
+ TBB_MOZ_ASSERT(isNative()); 
+ TBB_MOZ_ASSERT(slot < slotSpanQ); 

return getSlot ( slot ) ; 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
inline bool 

IsOb jectValuelnCompartment (j s :: Value v, JSCompartment *comp) 
{ 

(8(5) -246,32 +246,32 @@ I sOb j ectValuelnCompartment ( j s : : Value v, JSCompartment *comp) 
inline void 

js :: Ob jectlmpl :: setSlot ( uint32_t slot, const js::Value Svalue) 
{ 

HOZ_ASSERT(slotInRange(slot) ) ; 

MOZ_ASSERT (IsObj ectValuelnCompartment (value, asObjectPtr()->compartment())); 
+ TBB_MOZ_ASSERT( slotlnRange(slot)); 

+ TBB_MOZ_ASSERT( I sOb jectValuelnCompartment (value, asObjectPtr ( ) - > compartment ( ) ) ) ; 
getSlotRef (slot). set (this - >asObjectPtr () , HeapSlot :: Slot , slot, value); 

} 

inline void 

js :: Objectlmpl :: setCrossCompartmentSlot ( uint32_t slot, const js::Value Svalue) 
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{ 

MOZ_ASSERT(slotInRange(slot)); 
+ TBB_MOZ_ASSERT( slotlnRange(slot)); 

getSlotRef ( slot ). set (this - >asObjectPtr () , HeapSlot : : Slot , slot, value); 

} 

inline void 

js : : Ob jectlmpl : : initSlot ( uint32_t slot, const js::Value Svalue) 
{ 

HOZ_ASSERT (getSlot ( slot ) . isUndef ined ( ) ) ; 
MOZ_ASSERT(slotInRange(slot)); 

MOZ_ASSERT (IsObjectValueInCompartment( value, asObjectPtr()->compartment())); 
+ TBB_MOZ_ASSERT( get Slot ( slot ) . isUndef ined ( ) ) ; 
+ TBB_MOZ_ASSERT( slotlnRange(slot)); 

+ TBB_MOZ_ASSERT( IsOb jectValuelnCompartment ( value, asObjectPtr ( ) - > compartment ( ) ) ) ; 
initSlotUnchecked ( slot , value); 

} 

inline void 

js :: Ob jectlmpl :: initCrossCompartmentSlot ( uint32_t slot, const js::Value Svalue) 
{ 

MOZ_ASSERT (getSlot ( slot ) . isUndef ined ( ) ) ; 

HOZ_ASSERT(slotInRange(slot)); 
+ TBB_MOZ_ASSERT (getSlot (slot) .isUndef ined() ); 
+ TBB_MOZ_ASSERT( slotlnRange(slot)); 

initSlotUnchecked ( slot , value); 

} 

@@ -284,14 +284,14 @@ j s :: Ob j ectlmpl :: initSlotUnchecked ( uint32_t slot, const js:: 
Value &value) 
inline void 

js :: Ob jectlmpl :: setFixedSlot ( uint32_t slot, const js::Value Svalue) 
{ 

MOZ_ASSERT(slot < numFixedSlots ()) ; 
+ TBB_MOZ_ASSERT(slot < numFixedSlots ()) ; 

fixedSlots() [slot] . set (this - >asObjectPtr () , HeapSlot :: Slot , slot, value); 

} 

inline void 

js :: Ob jectlmpl :: initFixedSlot ( uint32_t slot, const js::Value Svalue) 
{ 

MOZ_ASSERT(slot < numFixedSlots ()) ; 
+ TBB_MOZ_ASSERT(slot < numFixedSlots ()) ; 

fixedSlots() [slot] . init (this - >asOb jectPt r ( ) , HeapSlot :: Slot , slot, value); 

} 

@@ -343,7 +343,7 (3(3 js : : Objectlmpl : : dynamicSlotsCount ( uint32_t nfixed, uint32_t span) 
return SLOT_CAPACITY_MIN; 

uint32_t slots = RoundUpPow2 ( span ) ; 
MOZ_ASSERT(slots >= span); 
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+ TBB_MOZ_ASSERT( slots >= span); 
return slots; 

} 

§§ -366,10 +366,10 @@ js : :ObjectImpl : : readBarrier(ObjectImpl *obj) 
#ifdef 3SGC_INCREMENTAL 

Zone *zone = obj->zone(); 
if ( zone - >needsBarrier ( ) ) { 

MOZ_ASSERT( ! zone - >rt - >isHeapMa jorCollecting ( ) ) ; 
+ TBB_MOZ_ASSERT( ! zone -> rt - > isHeapMa jorCollecting ( ) ) ; 

JSObject *tmp = obj - >asOb jectPtr () ; 

MarkOb jectUnbarriered ( zone - >barrierTracer ( ) , &tmp, "read barrier"); 
MOZ_ASSERT(tmp == ob j - >asOb jectPtr ()) ; 
+ TBB_MOZ_ASSERT(tmp == ob j - >asObjectPtr ( ) ) ; 

} 

#endif 
} 

§§ -407,10 +407,10 @@ js : :ObjectImpl : : writeBarrierPre (Ob jectlmpl *obj) 

Zone *zone = obj->zone(); 
if ( zone - >needsBarrier ( ) ) { 

MOZ_ASSERT( ! zone - >rt - >isHeapMa jorCollecting ( ) ) ; 
+ TBB_MOZ_ASSERT( ! zone -> rt - > isHeapMa jorCollecting ( ) ) ; 

DSObject *tmp = obj - >asOb jectPtr ( ) ; 

MarkOb jectUnbarriered ( zone - >barrierTracer ( ) , Stmp, "write barrier"); 
MOZ_ASSERT(tmp == ob j - >asOb jectPtr ()) ; 
+ TBB_MOZ_ASSERT ( tmp == ob j - >asOb jectPtr ()) ; 

} 

#endif 
} 

diff --git a/ js/src/vm/Ob jectlmpl . cpp b/ js/src/vm/Ob jectlmpl . cpp 
index blce275 . . C366708 100644 
— a/ js/src/vm/Objectlmpl . cpp 
+++ b/ js/src/vm/Objectlmpl . cpp 

(51(5) -284,7 +284,7 @@ j s :: Ob j ectlmpl :: copySlot Range ( uint32_t start, const Value *vector 
, uint32_t leng 

sp- >set ( zone , this - >asOb jectPtr () , HeapSlot : : Slot , start++, *vector++); 

} 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 
bool 

js : : Objectlmpl : : slotInRange(uint32_t slot, SentinelAllowed sentinel) const 
{ 

(3(5) -293,7 +293,7 @@ j s :: Ob j ectlmpl :: slot InRange ( uint32_t slot, SentinelAllowed 
sentinel) const 

return slot <= capacity; 
return slot < capacity; 

} 

-#endif /* DEBUG */ 
+#endif /* TOR_NASSERT */ 
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// See bug 844580. 

#if defined (_MSC_VER) 
diff --git a/ js/src/vm/Ob jectlmpl . h b/ js/src/vm/Objectlmpl . h 
index 8eba5da . . 4edb6bb 100644 
— a/ js/src/vm/Objectlmpl . h 
+++ b/ js/src/vm/Objectlmpl . h 
@@ -7,7 +1,1 §§ 

#ifndef vm_0b jectlmpl_h 

#define vm_0b jectlmpl_h 

-#include "mozilla/Assertions.h" 
+# include " mozilla/ Assert ions To r.h" 

#include "mozilla/GuardObjects.h" 

#include " mozilla/ St andardlnteger.h" 

@@ -55,11 +55,11 §@ class Propertyld 

public : 

bool isName() const { 

MOZ_ASSERT(DSID_IS_STRING(id) || JSID_IS_SPECIAL ( id ) ) ; 
+ TBB_M0Z_ASSERT(3SID_IS_STRING(id) || J SID_IS_SPECIAL ( id ) ) ; 

return JSID_IS_STRING ( id ) ; 

} 

bool isSpecial() const { 

MOZ_ASSERT(DSID_IS_STRING(id) || DSID_IS_SPECIAL ( id ) ) ; 
+ TBB_MOZ_ASSERT(DSID_IS_STRING(id) || DSID_IS_SPECIAL ( id ) ) ; 

return !isName(); 

} 

@@ -195,17 +195,17 @@ struct PropDesc { 

bool isUndef ined ( ) const { return isUndef ined_; } 

bool hasGet() const { MOZ_ASSERT (! isUndef ined ()) ; return hasGet_; } 

bool hasSet() const { MOZ_ASSERT (! isUndef ined ()) ; return hasSet_; } 

bool hasValueQ const { MOZ_ASSERT (! isUndef ined ()) ; return hasValue_; } 

bool hasWritable() const { MOZ_ASSERT (! isUndef ined ()) ; return hasWritable_; } 

bool hasEnumerable( ) const { MOZ_ASSERT (! isUndef ined ()) ; return hasEnumerable_ 

} 

bool hasConf igurable ( ) const { MOZ_ASSERT (! isUndef ined ()) ; return 
hasConf igurable_; } 

+ bool hasGet() const { TBB_MOZ_ASSERT( ! isUndef ined ()) ; return hasGet_; } 
+ bool hasSet() const { TBB_MOZ_ASSERT( ! isUndef ined ()) ; return hasSet_; } 
+ bool hasValueQ const { TBB_MOZ_ASSERT (! isUndef ined ()) ; return hasValue_; } 
+ bool hasWritable() const { TBB_MOZ_ASSERT (! isUndef ined ()) ; return hasWritable_ 
} 

+ bool hasEnumerable( ) const { TBB_MOZ_ASSERT (! isUndef ined ()) ; return 
hasEnumerable_; } 

+ bool hasConf igurable ( ) const { TBB_MOZ_ASSERT (! isUndef ined ()) ; return 
hasConf igurable_; } 
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Value pd() const { MOZ_ASSERT ( ! isUndef ined ( ) ) ; return pd_; } 
Value pd() const { TBB_MOZ_ASSERT ( ! isUndef ined ( ) ) ; return pd_; } 
void clearPdQ { pd_ = Undef inedValue ( ) ; } 

uint8_t attributes() const { MOZ_ASSERT (! isUndef ined ()) ; return attrs; } 
uint8_t attributesQ const { TBB_MOZ_ASSERT (! isUndef ined ()) ; return attrs; } 

/* 8.10.1 IsAccessorDescriptor ( desc ) */ 
bool isAccessorDescriptor( ) const { 
5) -223,47 +223,47 @@ struct PropDesc { 
} 

bool configurable ( ) const { 

MOZ_ASSERT( ! isUndef ined ()) ; 
MOZ_ASSERT(hasConf igurable( ) ) ; 
+ TBB_HOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT(hasConfigurable() ); 

return (attrs S DSPROP_PE RMANENT ) == 0; 

} 

bool enumerable() const { 

MOZ_ASSERT( ! isUndef ined () ) ; 
MOZ_ASSERT( has Enumerable () ); 
+ TBB_HOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT(hasEnumerable() ); 

return (attrs S DSPROP_E NUMERATE ) != 0; 

} 

bool writable() const { 

MOZ_ASSERT( ! isUndef ined () ) ; 
MOZ_ASSERT(hasWritable()); 
+ TBB_MOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT(hasWritable()); 

return (attrs & DSPROP_READONLY) == 0; 

} 

HandleValue value() const { 
MOZ_ASSERT(hasValue() ); 
TBB_MOZ_ASSERT(hasValue() ); 

return HandleValue: : f romMarkedLocation (&value_) ; 

} 

DSObject * getterObject ( ) const { 
MOZ_ASSERT( ! isUndef ined ()) ; 
MOZ_ASSERT( hasGet ( ) ) ; 
+ TBB_MOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT ( hasGet ( ) ) ; 

return get_. isUndef ined ( ) ? NULL : &get_. toObject () ; 

} 

DSObject * setterObjectQ const { 
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MOZ_ASSERT( ! isUndef ined ( ) ) ; 
MOZ_ASSERT(hasSet() ); 
+ TBB_MOZ_ASSERT( ! isUndef ined ( ) ) ; 

+ TBB_MOZ_ASSERT (hasSetQ); 

return set_. isUndef ined ( ) ? NULL : Sset_ . toOb ject ( ) ; 

} 

HandleValue getterValue ( ) const { 
MOZ_ASSERT( ! isUndef ined () ) ; 
MOZ_ASSERT(hasGet() ) j 
+ TBB_MOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT ( has Get ( ) ) ; 

return HandleValue: : f romMarkedLocation (&get_) ; 

} 

HandleValue setterValue ( ) const { 
MOZ_ASSERT( ! isUndef ined ()) ; 
MOZ_ASSERT(hasSet() ); 
+ TBB_MOZ_ASSERT( ! isUndef ined ()) ; 

+ TBB_MOZ_ASSERT(hasSet()); 

return HandleValue: : f romMarkedLocation (&set_) ; 

} 

5) -467,13 +407,13 @@ class ElementsHeader 

}; 

void staticAsserts ( ) { 

MOZ_STATIC_ASSERT(sizeof (ElementsHeader) == ValuesPerHeader * sizeof (Value) , 
TBB_MOZ_STATIC_ASSERT(sizeof (ElementsHeader) == ValuesPerHeader * sizeof( 
Value), 

"Elements size and values -per - Elements mismatch"); 

} 

public : 

ElementsKind kind() const { 

MOZ_ASSERT(type <= ArrayBuf f erElements ) ; 
TBB_MOZ_ASSERT(type <= ArrayBuf f erElements ) ; 
return ElementsKind (type) ; 

} 



{ 



-454,17 +454,17 @@ class DenseElementsHeader : public ElementsHeader 
public : 

uint32_t capacity() const { 

MOZ_ASSERT( ElementsHeader : : isDense Elements ( ) ) ; 
TBB_MOZ_ASSERT( ElementsHeader : : isDenseElements ( ) ) ; 
return dense . capacity ; 

} 

uint32_t initializedLength ( ) const { 

MOZ_ASSERT( ElementsHeader : : isDenseElements ( ) ) ; 
TBB_MOZ_ASSERT( ElementsHeader : : isDenseElements ( ) ) ; 
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return dense . initializedLength ; 

} 

uint32_t length() const { 

MOZ_ASSERT( Elements Header : : isDense Elements ( ) ) ; 
+ TBB_MOZ_ASSERT( Element sHeader : : isDenseElements Q ) ; 

return ElementsHeader :: length; 

} 

(a)(5) -498,12 +490,12 @(5) class SparseElementsHeader : public ElementsHeader 
{ 

public : 

Shape *shapeQ { 

MOZ_ASSERT( ElementsHeader : : isSparseElements ( ) ) ; 
+ TBB_MOZ_ASSERT( ElementsHeader : : isSparseElements ( ) ) ; 

return sparse . shape; 

} 

uint32_t length() const { 

MOZ_ASSERT( ElementsHeader : : isSparseElements ( ) ) ; 
+ TBB_MOZ_ASSERT( ElementsHeader : : isSparseElements ( ) ) ; 

return ElementsHeader :: length; 

} 

@§ -588,7 +588,7 (3(5) struct uint8_c lamped { 
} 

void staticAsserts ( ) { 

MOZ_STATIC_ASSERT(sizeof (uint8_clamped) == 1, 
+ TBB_MOZ_STATIC_ASSERT(sizeof ( uint8_clamped ) == 1, 

"uint8_clamped must be layout - compatible with uint8_t"); 

} 

}; 

(g)(5) -607,21 +607,21 @(5) template <typename T> 
class TypedElementsHeader : public ElementsHeader 
{ 

T getElement ( uint32_t index) { 

MOZ_ASSERT( index < lengthQ); 
+ TBB_MOZ_ASSERT( index < length()); 

return reinterpret_cast <T *>(this + 1) [index]; 

} 

inline void assign ( uint32_t index, double d); 

void set Element ( uint32_t index, T value) { 
MOZ_ASSERT( index < lengthQ); 
+ TBB_MOZ_ASSERT (index < lengthQ); 

reinterpret_cast <T *>(this + 1) [index] = value; 

} 

public : 
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uint32_t length() const { 

M0Z_ASSERT(Uint8Elements <= kindQ); 

MOZ_ASSERT( kind ( ) <= Float64Elements ) ; 
+ TBB_H0Z_ASSERT(Uint8Elements <= kind()); 

+ TBB_MOZ_ASSERT ( kind ( ) <= Float64Elements ) ; 

return ElementsHeader :: length; 

} 

(S)@ -643,7 +643,7 @@ class TypedElementsHeader : public ElementsHeader 
template<typename T> inline void 

TypedElementsHeader <T> :: assign ( uint32_t index, double d) 
{ 

MOZ_NOT_REACHED ( " didn ' t specialize for this element type"); 
+ TBB_MOZ_NOT_REACHED( "didn ' t specialize for this element type"); 
} 

templateo inline void 
@@ -809,84 +809,84 @@ class ArrayBuf f erElementsHeader : public ElementsHeader 
inline DenseElementsHeader & 
ElementsHeader ::asDenseElements() 
{ 

MOZ_ASSERT(isDenseElements()); 
+ TBB_MOZ_ASSERT( isDenseElements ( ) ) ; 

return *static_cast<DenseElementsHeader *>(this); 

} 

inline SparseElementsHeader & 
ElementsHeader ::asSparseElements() 
{ 

MOZ_ASSERT(isSparseElements() ); 
+ TBB_MOZ_ASSERT( isSparseElements ( ) ) ; 

return *static_cast<SparseElementsHeader *>(this); 

} 

inline Uint8ElementsHeader & 
ElementsHeader ::asUint8Elements() 
{ 

H0Z_ASSERT(isUint8Elements ( ) ) ; 
+ TBB_MOZ_ASSERT( isUint8Elements ( ) ) ; 

return *static_cast<Uint8ElementsHeader *>(this); 

} 

inline Int8ElementsHeader & 
ElementsHeader ::asInt8Elements() 
{ 

M0Z_ASSERT(isInt8Elements()); 
+ TBB_M0Z_ASSERT(isInt8Elements( ) ) ; 

return *static_cast<Int8ElementsHeader *>(this); 

} 

inline Uintl6ElementsHeader & 
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ElementsHeader::asUintl6Elements() 
{ 

M0Z_ASSERT(isuintl6Elements() ); 
+ TBB_MOZ_ASSERT( isUintl6Elements ( ) ) ; 

return *static_cast<Uintl6ElementsHeader *>(this); 

} 

inline Intl6ElementsHeader & 

ElementsHeader::asIntl6Elements() 

{ 

M0Z_ASSERT(isIntl6Elements ( ) ) ; 
+ TBB_MOZ_ASSERT( isIntl6Elements( ) ) ; 

return *static_cast<Intl6ElementsHeader *>(this); 

} 

inline Uint32ElementsHeader S 

ElementsHeader::asUint32Elements() 

{ 

M0Z_ASSERT(isllint32Elements () ); 
+ TBB_MOZ_ASSERT( isUint32Elements ( ) ) ; 

return *static_cast<Uint32ElementsHeader *>(this); 

} 

inline Int32ElementsHeader & 

ElementsHeader::asInt32Elements() 

{ 

H0Z_ASSERT(isInt32Elements ( ) ) ; 
+ TBB_MOZ_ASSERT( isInt32Elements( ) ) ; 

return *static_cast<Int32ElementsHeader *>(this); 

} 

inline Uint8ClampedElementsHeader & 

ElementsHeader::asUint8ClampedElements() 

{ 

M0Z_ASSERT(isUint8ClampedElements() ); 
+ TBB_MOZ_ASSERT( isUint8ClampedElements ( ) ) ; 

return *static_cast<Uint8ClampedElementsHeader *>(this); 

} 

inline Float32ElementsHeader & 

ElementsHeader::asFloat32Elements() 

{ 

H0Z_ASSERT(isFloat32Elements() ); 
+ TBB_M0Z_ASSERT(isFloat32Elements () ); 

return *static_cast < Float32ElementsHeader *>(this); 

} 

inline Float64ElementsHeader & 
ElementsHeader::asFloat 64 Elements () 
{ 

M0Z_ASSERT(isFloat64Elements() ); 
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+ TBB_M0Z_ASSERT(isFloat64Elements () ) ; 

return *static_cast < Float64ElementsHeader *>(this); 

} 

inline ArrayBuf f erElementsHeader & 

ElementsHeader::asArrayBufferElements() 

{ 

MOZ_ASSERT(isArrayBuf f erElements ( ) ) ; 
+ TBB_MOZ_ASSERT( isArrayBuff erElements ( ) ) ; 

return *static_cast<ArrayBuff erElementsHeader *>(this); 

} 

@@ -1021,7 +1021,7 @@ class Ob jectElements 
uint32_t length; 

void staticAsserts ( ) { 

MOZ_STATIC_ASSERT(sizeof (ObjectElements ) == VALUE S_PER_HEADER * sizeof(Value 

>, 

+ TBB_MOZ_STATIC_ASSERT(sizeof (ObjectElements) == VALUES_PER_HEADER * sizeof( 

Value), 

"Elements size and values - per - Elements mismatch"); 

} 

@@ -1166,18 +1166,18 @(5) class Objectlmpl : public gc::Cell 

private : 

static void staticAsserts ( ) { 

MOZ_STATIC_ASSERT(sizeof (Objectlmpl) == sizeof ( shadow :: Ob ject ) , 
+ TBB_MOZ_STATIC_ASSERT( sizeof (Objectlmpl) == sizeof ( shadow :: Ob ject ) , 

"shadow interface must match actual implementation"); 
MOZ_STATIC_ASSERT(sizeof (Objectlmpl) % sizeof (Value) == 0, 
+ TBB_MOZ_STATIC_ASSERT( sizeof (Objectlmpl) % sizeof (Value) == 0, 

"fixed slots after an object must be aligned"); 

MOZ_STATIC_ASSERT(offsetof (Objectlmpl, shape_) == of fsetof( shadow :: Ob ject , 
shape) , 

+ TBB_MOZ_STATIC_ASSERT(offsetof (Objectlmpl, shape_) == of f setof ( shadow : : 

Object, shape), 

"shadow shape must match actual shape"); 
MOZ_STATIC_ASSERT(off setof (Objectlmpl, type_) == of fsetof( shadow :: Object , 
type), 

+ TBB_MOZ_STATIC_ASSERT(offsetof (Objectlmpl, type_) == of f setof ( shadow :: Ob ject 

, type), 

"shadow type must match actual type"); 
MOZ_STATIC_ASSERT(offsetof (Objectlmpl, slots) == of f setof ( shadow :: Object , 
slots), 

+ TBB_MOZ_STATIC_ASSERT(offsetof (Objectlmpl, slots) == of f setof ( shadow :: Object 

, slots), 

"shadow slots must match actual slots"); 
MOZ_STATIC_ASSERT(offsetof (Objectlmpl, elements) == of f setof ( shadow :: Object , 
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+ TBB_MOZ_STATIC_ASSERT ( of f set of (Objectlmpl, elements) == of fsetof ( shadow : 

Object, _1), 

"shadow placeholder must match actual elements"); 

} 

§@ -1213,7 +1213,7 @@ class Objectlmpl : public gc::Cell 
bool makeElementsSparse ( DSContext *cx) { 
NEW_OBDECT_REPRESENTATION_ONLY(); 

MOZ_NOT_REACHED( "NYI " ) ; 
+ TBB_MOZ_NOT_REACHED ( " NYI " ) ; 

return false; 

} 

@@ -1272,7 +1272,7 @@ class Objectlmpl : public gc::Cell 

*/ 

void copySlotRange ( uint32_t start, const Value *vector, uint32_t length); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

enum SentinelAllowed { 

SENTINEL_NOT_ALLOWED, 
SENTINE L_ALLOWED 
@@ -1307,7 +1307,7 @(3 class Objectlmpl : public gc::Cell 
{ 

NEW_OBDECT_REPRESENTATION_ONLY(); 

MOZ_NOT_REACHED( "NYI " ) ; 
+ TBB_MOZ_NOT_REACHED ( " NYI " ) ; 

return Failure; 

} 

§§ -1320,7 +1320,7 @@ class Objectlmpl : public gc::Cell 
inline js : : TaggedProto getTaggedProto ( ) const; 

Shape * lastProperty ( ) const { 
MOZ_ASSERT(shape_); 
+ TBB_HOZ_ASSERT ( shape_) ; 

return shape_; 

} 

@@ -1333,7 +1333,7 @@ class Objectlmpl : public gc::Cell 
inline bool isNative() const; 

types :: TypeObject *type() const { 
MOZ_ASSERT( ! hasLazyType ( ) ); 
+ TBB_MOZ_ASSERT( ! hasLazyType ()) ; 

return type_; 

} 

@@ -1403,7 +1403,7 @@ class Objectlmpl : public gc::Cell 
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inline bool inDictionaryMode ( ) const; 

const Value SgetSlot ( uint32_t slot) const { 
MOZ_ASSERT(slotInRange(slot) ) ; 
TBB_MOZ_ASSERT (slot InRange (slot)); 
uint32_t fixed = numFixedSlots () ; 
if (slot < fixed) 

return f ixedSlots ( ) [ slot ] ; 
-1423,12 +1423,12 @@ class Objectlmpl : public gc::Cell 

* object, which may be necessary when fetching zero-length arrays of 

* slots (e.g. for callOb j VarArray ) . 
*/ 

MOZ_ASSERT(slotInRange(slot, SENTINEL_AL LOWED) ) ; 
TBB_MOZ_ASSERT( slot InRange (slot, SENTINE L_AL LOWED) ) ; 
return getSlotAddressUnchecked(slot); 

} 

HeapSlot &getSlotRef ( uint32_t slot) { 
MOZ_ASSERT(slotInRange(slot) ) ; 
TBB_MOZ_ASSERT( slot InRange (slot)); 
return *getSlotAddress ( slot ) ; 

} 

-1444,12 +1444,12 @§ class Objectlmpl : public gc::Cell 
/* For slots which are known to always be fixed, due to the way they are 
allocated. */ 

HeapSlot SgetFixedSlotRef ( uint32_t slot) { 
MOZ_ASSERT(slot < numFixedSlots ()) ; 
TBB_MOZ_ASSERT(slot < numFixedSlots ()) ; 
return f ixedSlots ()[ slot ] ; 

} 

const Value &getFixedSlot ( uint32_t slot) const { 
MOZ_ASSERT(slot < numFixedSlots ()) ; 
TBB_MOZ_ASSERT(slot < numFixedSlots ()) ; 
return f ixedSlots ()[ slot ] ; 

} 

-1479,7 +1479,7 @@ class Objectlmpl : public gc::Cell 
} 

inline HeapSlot *f ixedElements ( ) const { 

M0Z_STATIC_ASSERT(2 * sizeof (Value ) == sizeof (ObjectElements ) , 
TBB_M0Z_STATIC_ASSERT(2 * sizeof (Value ) == sizeof (ObjectElements) , 
"when elements are stored inline, the first two " 
"slots will hold the ObjectElements header"); 
return Sf ixedSlots () [2] ; 
-1524,8 +1524,8 @@ class Objectlmpl : public gc::Cell 

* Private pointers are stored immediately after the last fixed slot of 

* the object. 
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*/ 

MOZ_ASSERT(nfixed == numFixedSlots ( ) ) ; 

MOZ_ASSERT(hasPrivate()); 
+ TBB_MOZ_ASSERT(nfixed == numFixedSlots ()) ; 

+ TBB_MOZ_ASSERT(hasPrivate()); 

HeapSlot *end = &f ixedSlots ( ) [ nf ixed ] ; 

return * reinterpret_cast < void** > ( end ) ; 

} 

diff --git a/ js/src/vm/SPSProf iler . cpp b/ js/src/vm/SPSProf iler . cpp 
index ec3e5f b . . 9781c53 100644 

— a/ js/src/vm/SPSProf iler . cpp 
+++ b/ js/src/vm/SPSProf iler . cpp 
@@ -4,7 +4,7 @@ 

* License, v. 2.0. If a copy of the MPL was not distributed with this 

* file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 

-#include "mozilla/DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include "jsnum.h" 
#include "jsscript.h" 
§@ -16,7 +16,7 @@ 

using namespace js; 

-using mozilla :: DebugOnly ; 
+using mozilla : : DebugOnlyTor; 

SPSProfiler: : SPSProfiler ( DSRuntime *rt) 
: rt(rt), 

@@ -205,7 +205,7 @@ SPSProfiler: :pop() 
const char* 

SPSProfiler :: allocProf ileString ( JSContext *cx, JSScript *script, JSFunction 
maybeFun ) 

{ 

DebugOnly < uint64_t > gcBefore = cx- >runtime ( ) - >gcNumber ; 
+ Debug0nlyTor<uint64_t > gcBefore = cx -> runtime ()- >gcNumber; 
StringBuffer buf(cx); 

bool hasAtom = maybeFun != NULL && maybeFun - >displayAtom ( ) != NULL; 
if (hasAtom) { 

diff --git a/ js/src/vm/SPSProf iler . h b/ js/src/vm/SPSProf iler . h 
index f 9b426e . . 2f 3e00c 100644 

— a/ js/src/vm/SPSProf iler . h 
+++ b/ js/src/vm/SPSProf iler . h 
§@ -9,7 +9,7 (3(5) 

#include <stddef.h> 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla/ DebugOnly Tor . h" 
#include "mozilla/GuardObjects.h" 
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#include "mozilla/HashFunctions.h" 

@@ -210,7 +218,7 @@ class SPSEntryMarker 

private : 

SPSProfiler *profiler; 

mozilla : : DebugOnly <uint32_t > size_before; 
+ mozilla :: DebugOnlyTor <uint32_t > size_before; 
M0Z_DECL_USE_GUARD_0BDEC.T_N0TIFT.ER 

}: 

diff --git a/ js/src/vm/Shape . cpp b/ js/src/vm/Shape . cpp 
index da08e89 . . 76celf 7 100644 
— a/ js/src/vm/Shape . cpp 
+++ b/ js/src/vm/Shape . cpp 
@@ -6,7 +6,7 @@ 

/* JS symbol tables. */ 

-#include "mozilla/DebugOnly.h" 
+#include "mozilla /DebugOnlyTor . h" 
#include "mozilla/PodOperations.h" 

#include "jsapi.h" 
@@ -23,7 +25,7 (3(5) 
using namespace js; 
using namespace js::gc; 

-using mozilla :: DebugOnly ; 
+using mozilla :: DebugOnlyTor ; 
using mozilla :: PodZero; 

bool 

§§ -163,7 +163,7 @@ ShapeTable :: search (jsid id, bool adding) 
hash2 = HASH2(hash0 J sizeLog2, hashShift); 
sizeMask = DS_BITMASK ( sizeLog2 ) ; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

uintptr_t collision_f lag = SHAPE_COLLISION; 
#endif 

@(5) -174,7 +174,7 @@ ShapeTable :: search (jsid id, bool adding) 
firstRemoved = NULL; 

if (adding && ! SHAPE_HAD_COLLISION ( stored ) ) 
SHAPE_FLAG_COLLISION(spp J shape); 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

collision_f lag &= uintptr_t (*spp) & SHAPE_COLLISION; 

#endif 
} 
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§§ -200,7 +200,7 §@ ShapeTable :: search (jsid id, bool adding) 
} else { 

if (adding && ! SHAPE_HAD_COLLISION ( stored ) ) 
SHAPE_FLAG_COLLISION(spp, shape) ; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

collision_f lag &= uintptr_t ( * spp ) & SHAPE_COLLISION; 

#endif 

} 

@@ -1450,8 +1450,8 @§ DSCompartment : : sweepInitialShapeTable ( ) 

if ( IsShapeAboutToBeFinalized (&shape) | ( entry . proto . isObject ( ) && 
IsOb jectAboutToBeFinalized (Sproto) ) ) { 
e . removeFront ( ) ; 
} else { 

-#ifdef DEBUG 

DebugOnly < JSOb ject *> parent = shape - >getOb jectParent () ; 
+#ifndef TOR_NASSERT 

+ DebugOnlyTor< JSObject *> parent = shape - >getOb jectParent () ; 

DS_ASSERT( ! parent || ! IsOb jectAboutToBeFinalized (&parent )) ; 
]S_ASSERT(parent == shape - >getOb jectParent ()) ; 

#endif 

diff --git a/ js/src/vm/Stack - inl . h b/ js/src/vm/Stack-inl . h 
index db6f c22 . . a035acb 100644 

— a/js/src/vm/Stack-inl . h 
+++ b/js/src/vm/Stack-inl . h 

@(5) -849,7 +849,7 @@ InterpreterActivation : : InterpreterActivation ( JSContext *cx, 
StackFrame *entry, F 
entry_( entry ) , 
current_( entry ) , 
regs_(regs) 
-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

, oldFrameCount_(cx_->runtime()->interpreterStack().frameCount_) 
#endif 
{} 

diff --git a/ js/src/vm/Stack . h b/ js/src/vm/Stack . h 
index f f f cf 73 . .46f 90a8 100644 

— a/ js/src/vm/Stack . h 
+++ b/ js/src/vm/Stack . h 

(5)(5) -1217,7 +1217,7 @@ class InterpreterActivation : public Activation 
StackFrame *current_; // The most recent frame. 

FrameRegs &regs_; 

-#ifdef DEBUG 
+#ifndef TOR_NASSERT 

size_t oldF rameCount_; 
#endif 

diff --git a/ js/src/vm/StringBuf f er . h b/ js/src/vm/StringBuf f er . h 
index 9c40fec .. 587537b 100644 

— a/ js/src/vm/StringBuf fer . h 
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+++ b/js/src/vm/StringBuf f er . h 
@@ -7,7 +7,7 @@ 

#ifndef vm_StringBuf f er_h 

#define vm_StringBuf f er_h 

-#include "mozilla/DebugOnly.h" 
+#include "moz ilia/ DebugOnly Tor . h" 

#include "jscntxt.h" 

§§ -120,8 +120,8 @@ StringBuff er :: appendlnf lated ( const char *cstr, slze_t cstrlen) 
size_t lengthBefore = length(); 
if (lcb.gr owByUninitialized(cstrlen)) 

return false; 
mozilla : : DebugOnly<size_t> oldcstrlen = cstrlen; 

mozilla : : DebugOnly<bool> ok = Inf lateStringToBuf fer ( context () , cstr, cstrlen, 
+ mozilla :: DebugOnlyTor<size_t> oldcstrlen = cstrlen; 

+ mozilla :: DebugOnlyTor<bool> ok = Inf lateStringToBuf fer ( context () , cstr, cstrlen, 

begin() + lengthBefore, & 
cstrlen ) ; 

DS_ASSERT(ok && oldcstrlen == cstrlen); 
return true; 

diff --git a/media/libnestegg/src/halloc . c b/media/ libnestegg/src/halloc . c 
index 5382c56 . . 962f 20d 100644 

— a/media/libnestegg/src/halloc.c 
+++ b/media/libnestegg/src/halloc.c 

@@ -75,7 +75,7 @@ void * halloc(void * ptr, size_t len) 
p = allocator(0, len + sizeof _hblock ) ; 
if (! p) 

return NULL; 
-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 

p->magic = HH_MAGIC; 
#endif 

hlist_init (&p-> children); 
@@ -236,7 +236,7 (3(3 static void _f ree_children ( hblock_t * p) 
{ 

hlist_item_t * i, * tmp; 

-#ifndef NDEBUG 
+#ifndef TOR_NASSERT 
/* 

* this catches loops in hierarchy with almost zero 

* overhead (compared to _relate() running time) 
diff --git a/mf bt/AssertionsTor . h b/mf bt/AssertionsTor . h 
new file mode 100644 

index 0000000 .. 0e8eal8 

— /dev/null 

+++ b/mf bt/AssertionsTor . h 
@@ -0,0 +1,436 (3(3 

+ /* .*. Mode: C++; tab-width: 2; indent -tabs -mode : nil; c - basic -of f set : 2 -*- */ 
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+/* This Source Code Form is subject to the terms of the Mozilla Public 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this 
+ * file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 
+ 

+/* Implementations of runtime and static assertion macros for C and C++. */ 
+ 

+#ifndef tbb_Assertions_h_ 
+#define tbb_Assertions_h_ 
+ 

+# include "mozilla/ At tributes. h" 
+#include "mozilla/Compiler . h " 
+#include "mozilla/ Likely . h" 
+ 

+#include <stddef.h> 
+#include <stdio.h> 
+#include <stdlib.h> 
+#ifdef WIN32 
+ /* 

+ * TerminateProcess and GetCurrentProcess are defined in <winbase.h>, which 
+ * further depends on <windef.h>. We hardcode these few definitions manually 
+ * because those headers clutter the global namespace with a significant 
+ * number of undesired macros and symbols. 
+ */ 

+# ifdef cplusplus 

+ extern "C" { 
+# endif 

+ declspec ( dllimport ) int stdcall 

+ TerminateProcess ( void* hProcess, unsigned int uExitCode); 

+ declspec ( dllimport ) void* stdcall GetCurrentProcess ( void ) ; 

+# ifdef cplusplus 

+ } 

+# endif 

+#else 

+# include <signal.h> 
+#endif 

+#ifdef ANDROID 

+# include <android/log . h > 

+#endif 

+ 

+ /* 

+ * TBB_MOZ_STATIC_ASSERT may be used to assert a condition *at compile time*. This 
+ * can be useful when you make certain assumptions about what must hold for 
+ * optimal, or even correct, behavior. For example, you might assert that the 
+ * size of a struct is a multiple of the target architecture's word size: 
+ * 

+ * struct S { ... }; 

+ * TBB_MOZ_STATIC_ASSERT(sizeof (S) % sizeof ( size_t ) == 0, 

+ * "S should be a multiple of word size for efficiency"); 

+ * 

+ * This macro can be used in any location where both an extern declaration and a 
+ * typedef could be used. 
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+ * 

+ * Be aware of the gcc 4.2 concerns noted further down when writing patches that 

+ * use this macro, particularly if a patch only bounces on OS X. 
+ */ 

+#ifdef cplusplus 

+# if defined( clang ) 

+# ifndef has_extension 

+# define has_extension has_feature /* compatibility, for older versions of 

clang */ 

+# endif 

+# if has_extension ( cxx_static_assert ) 

+# define TBB_MOZ_STATIC_ASSERT(cond , reason) static_assert ( ( cond ) , reason) 

+# endif 

+# elif defined( GNUC ) 

+# if (defined( GXX_EXPERIMENTAL_CXX0X ) || cplusplus >= 201103L) 

+# define TBB_MOZ_STATIC_ASSERT(cond , reason) static_assert ( ( cond ) , reason) 

+# endif 

+# elif defined(_MSC_VER) 

+# if _MSC_VER >= 1600 /* MSVC 10 */ 

+# define TBB_MOZ_STATIC_ASSERT(cond , reason) static_assert ( ( cond ) , reason) 

+# endif 

+# elif defined( HP_aCC) 

+# if HP_aCC >= 62500 && defined (_HP_CXX0x_SOURCE ) 

+# define TBB_MOZ_STATIC_ASSERT(cond , reason) static_assert ( ( cond ) , reason) 

+# endif 

+# endif 
+#endif 

+#ifndef TBB_MOZ_STATIC_ASSERT 

+ /* 

+ * Some of the definitions below create an otherwise - unused typedef. This 

+ * triggers compiler warnings with some versions of gcc, so mark the typedefs 

+ * as permissibly - unused to disable the warnings. 

+ */ 

+# if defined( GNUC ) 

+# define TBB_MOZ_STATIC_ASSERT_UNUSED_ATTRIBUTE attribute ((unused)) 

+# else 

+# define TBB_MOZ_STATIC_ASSERT_UNUSED_ATTRIBUTE /* nothing */ 

+# endif 

+# define TBB_M0Z_STATIC_ASSERT_GLUE1 (x, y) x##y 

+# define TBB_MOZ_STATIC_ASSERT_GLUE (x, y) TBB_MOZ_STATIC_ASSERT_GLUEl(x, 

y) 

+# if defined( SUNPRO_CC) 

+ /* 

+ * The Sun Studio C++ compiler is buggy when declaring, inside a function, 

+ * another extern'd function with an array argument whose length contains a 

+ * sizeof, triggering the error message "sizeof expression not accepted as 

+ * size of array parameter". This bug (6688515, not public yet) would hit 

+ * defining moz_static_assert as a function, so we always define an extern 

+ * array for Sun Studio. 

+ * 

+ * We include the line number in the symbol name in a best-effort attempt 



May 30, 2014 



Tor Project Confidential 



Version 1.3 



iSEC Partners Final Report — Tor Project Tor Browser Bundle 



Page 135 of 154 



+ * to avoid conflicts (see below). 

+ */ 

+# define TBB_MOZ_STATIC_ASSERT ( cond , reason) \ 

+ extern char TBB_HOZ_STATIC_ASSERT_GLUE (moz_static_assert , LINE )[(cond) ? 

1 : -1] 

+# elif defined( COUNTER ) 

+ /* 

+ * If there was no preferred alternative , use a compiler - agnostic version. 

+ * 

+ * Note that the non- COUNTER version has a bug in C++: it can't be used 

+ * in both |extern "C" | and normal C++ in the same translation unit. (Alas 

+ * | extern "C"| isn't allowed in a function.) The only affected compiler 

+ * we really care about is gcc 4.2. For that compiler and others like it, 

+ * we include the line number in the function name to do the best we can to 

+ * avoid conflicts. These should be rare: a conflict would require use of 

+ * TBB_MOZ_STATIC_ASSERT on the same line in separate files in the same 

+ * translation unit, *and* the uses would have to be in code with 

+ * different linkage, *and* the first observed use must be in C++-linkage 

+ * code. 

+ */ 

+# define TBB_MOZ_STATIC_ASSERT ( cond , reason) \ 

+ typedef int TBB_MOZ_STATIC_ASSERT_GLUE (moz_static_assert , COUNTER )[(cond) 

? 1 : -1] TBB_MOZ_STATIC_ASSERT_UNUSED_ATTRIBUTE 
+# else 

+# define TBB_MOZ_STATIC_ASSERT ( cond , reason) \ 

+ extern void TBB_MOZ_STATIC_ASSERT_GLUE (moz_static_assert , LINE )(int arg[( 

cond) ? 1 : -1]) TBB_MOZ_STATIC_ASSERT_UNUSED_ATTRIBUTE 
+# endif 
+#endif 
+ 

+#define TBB_MOZ_STATIC_ASSERT_IF ( cond , expr, reason) TBB_MOZ_STATIC_ASSERT ( ! (cond) 
| (expr), reason) 

+ 

+#ifdef cplusplus 

+extern "C" { 

+#endif 

+ 

+ /* 

+ * Prints |s| as an assertion failure (using file and In as the location of the 
+ * assertion) to the standard debug-output channel. 
+ * 

+ * Usually you should use TBB_MOZ_ASSERT or TBB_MOZ_CRASH instead of this method. 
This 

+ * method is primarily for internal use in this header, and only secondarily 
+ * for use in implementing release - build assertions. 
+ */ 

+static MOZ_ALWAYS_INLINE void 

+TBB_MOZ_ReportAssertionFailure ( const char* s, const char* file, int In) 
+ { 

+#ifdef ANDROID 

+ android_log_print(ANDROID_LOG_FATAL, "TBB_MOZ_Assert " , 
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+ "Assertion failure: %s , at %s:%d\n", s, file, In); 

+#else 

+ f printf ( stderr , "Assertion failure: %s, at %s:%d\n", s, file, In); 

+ f flush ( stderr) ; 

+#endif 

+ } 
+ 

+static MOZ_ALWAYS_INLINE void 

+TBB_MOZ_ReportCrash ( const char* s, const char* file, int In) 
+ { 

+#ifdef ANDROID 

+ android_log_print(ANDROID_LOG_FATAL, " TBB_MOZ_C RASH " , 

+ "Hit TBB_MOZ_CRASH(%s) at %s:%d\n", s, file, In); 

+#else 

+ fprintf (stderr, "Hit TBB_MOZ_CRASH (%s ) at %s:%d\n", s, file, In); 

+ f flush ( stderr ) ; 

+#endif 

+ } 
+ 

+ * TBB_MOZ_REALLY_CRASH is used in the implementation of TBB_MOZ_CRASH ( ) . You 
should 

+ * call TBB_MOZ_CRASH instead. 

+ */ 

+#if defined(_MSC_VER) 

+ /* 

+ * On MSVC use the debugbreak compiler intrinsic, which produces an inline 

+ * (not nested in a system function) breakpoint. This distinctively invokes 
+ * Breakpad without requiring system library symbols on all stack - processing 
+ * machines, as a nested breakpoint would require. 
+ * 

+ * We use TerminateProcess with the exit code aborting would generate 
+ * because we don't want to invoke atexit handlers, destructors, library 
+ * unload handlers, and so on when our process might be in a compromised 
+ * state. 
+ * 

+ * We don't use abort() because it ' d cause Windows to annoyingly pop up the 
+ * process error dialog multiple times. See bug 345118 and bug 426163. 

+ * 

+ * We follow TerminateProcess ( ) with a call to TBB_MOZ_NoReturn ( ) so that the 
+ * compiler doesn't hassle us to provide a return statement after a 
+ * TBB_MOZ_REALLY_CRASH() call. 

+ * 

+ * (Technically these are Windows requirements, not MSVC requirements. But 
+ * practically you need MSVC for debugging, and we only ship builds created 
+ * by MSVC, so doing it this way reduces complexity.) 
+ */ 
+ 

+ declspec ( noreturn ) inline void TBB_MOZ_NoReturn ( ) {} 

+ 

+# ifdef cplusplus 
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+# define TBB_MOZ_REALLY_CRASH ( ) \ 
+ do { \ 

+ debugbreak () ; \ 

+ *((volatile int*) NULL) = 123; \ 

+ : : TerminateProcess ( : : GetCurrentProcess ( ) , 3); \ 

+ : :TBB_MOZ_NoReturn(); \ 

+ } while (0) 

+# else 

+# define TBB_MOZ_REALLY_CRASH ( ) \ 
+ do { \ 

+ debugbreak () ; \ 

+ *((volatile int*) NULL) = 123; \ 

+ TerminateProcess (GetCurrentProcess () , 3); \ 

+ TBB_MOZ_NoReturn(); \ 

+ } while (0) 

+# endif 

+#else 

+# ifdef cplusplus 

+# define TBB_MOZ_REALLY_CRASH ( ) \ 
+ do { \ 

+ *((volatile int*) NULL) = 123; \ 

+ : : abort ( ) ; \ 

+ } while (0) 

+# else 

+# define TBB_MOZ_REALLY_CRASH ( ) \ 
+ do { \ 

+ *((volatile int*) NULL) = 123; \ 

+ abort (); \ 

+ } while (0) 

+# endif 

+#endif 

+ 

+ /* 

+ * TBB_MOZ_CRASH ([ explanation - string] ) crashes the program, plain and simple, in a 
+ * Breakpad - compatible way, in both debug and release builds. 
+ * 

+ * TBB_MOZ_CRASH is a good solution for "handling" failure cases when you're 
+ * unwilling or unable to handle them more cleanly -- for OOM, for likely memory 
+ * corruption, and so on. It's also a good solution if you need safe behavior 
+ * in release builds as well as debug builds. But if the failure is one that 
+ * should be debugged and fixed, TBB_MOZ_ASSERT is generally preferable. 
+ * 

+ * The optional explanation - string , if provided, must be a string literal 
+ * explaining why we're crashing. This argument is intended for use with 
+ * TBB_MOZ_CRASH ( ) calls whose rationale is non-obvious; don't use it if it's 
+ * obvious why we're crashing. 
+ * 

+ * If we ' re a DEBUG build and we crash at a TBB_MOZ_CRASH which provides an 

+ * explanation - string , we print the string to stderr. Otherwise, we don't 

+ * print anything; this is because we want TBB_MOZ_CRASH to be 100% safe in release 

+ * builds, and it's hard to print to stderr safely when memory might have been 
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+ * corrupted. 

+ */ 

+#ifdef TOR_NASSERT 

+# define TBB_MOZ_CRASH ( . . . ) TBB_MOZ_REALLY_CRASH ( ) 
+#else 

+# define TBB_MOZ_CRASH ( . . . ) \ 
+ do { \ 

+ TBB_MOZ_ReportCrashC"' VA_ARGS , FILE , LINE ); \ 

+ TBB_MOZ_REALLY_CRASH(); \ 

+ } while(0) 

+#endif 

+ 

+#ifdef cplusplus 

+} /* extern "C" */ 
+#endif 



debug builds. If it is, execution continues. Otherwise, an error message 
including the expression and the explanation - string (if provided) is printed, 
an attempt is made to invoke any existing debugger, and execution halts. 
TBB_MOZ_ASSERT is fatal: no recovery is possible. Do not assert a condition 
+ * which can correctly be falsy. 

The optional explanation - string , if provided, must be a string literal 
explaining the assertion. It is intended for use with assertions whose 
correctness or rationale is non-obvious, and for assertions where the "real" 
condition being tested is best described prosaically. Don't provide an 
explanation if it's not actually helpful. 

// No explanation needed: pointer arguments often must not be NULL. 
TBB_MOZ_ASSERT(arg); 

// An explanation can be helpful to explain exactly how we know an 
// assertion is valid. 

TBB_MOZ_ASSERT( state == WAITING_FOR_RESPONSE , 

"given that <thingA> and <thingB>, we must have..."); 

// Or it might disambiguate multiple identical (save for their location) 
// assertions of the same expression. 

TBB_MOZ_ASSERT(getSlot(PRIMITIVE_THIS_SLOT) .isUndef ined(), 

"we already set [ [ PrimitiveThis ] ] for this Boolean object"); 
TBB_MOZ_ASSERT(getSlot(PRIMITIVE_THIS_SLOT) . isUndef ined ( ) , 

"we already set [[PrimitiveThis]] for this String object"); 

TBB_MOZ_ASSERT has no effect in non-debug builds. It is designed to catch bugs 
*only* during debugging, not "in the field". 
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/* First the single - argument form. */ 
+# define TBB_MOZ_ASSERT_HELPERl(expr) \ 
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+ do { \ 

+ if (MOZ_UNLIKELY( ! (expr))) { \ 

+ TBB_MOZ_Report Assert ion Failure (#expr j FILE , LINE ); \ 

+ TBB_MOZ_REALLY_CRASH(); \ 

+ } \ 

+ } while (0) 

+ /* Now the two-argument form. */ 

+# define TBB_M0Z_ASSERT_HELPER2 (expr , explain) \ 

+ do { \ 

+ if (MOZ_UNLIKELY( ! (expr))) { \ 

+ TBB_MOZ_ReportAssertionFailure(#expr " (" explain ")", FILE , LINE ); 

\ 

+ TBB_MOZ_REALLY_CRASH(); \ 

+ } \ 

+ } while (0) 

+ /* And now, helper macrology up the wazoo. */ 

+ /* 

+ * Count the number of arguments passed to TBB_MOZ_ASSERT , very carefully 

+ * tiptoeing around an MSVC bug where it improperly expands VA_ARGS as a 

+ * single token in argument lists. See these URLs for details: 
+ * 

+ * http://connect. microsoft . com/VisualStudio/f eedback/details/380090/ variadic- 
macro- replacement 

+ * http://cplusplus.co.il/2010/ 07 /17/variadic- macro-to-count-number- of - 

arguments/#comment -644 
+ */ 

+# define TBB_M0Z_C0UNT_ASSERT_ARGS_IMPL2(_1, _2 , count, ...) \ 
+ count 

+# define TBB_MOZ_COUNT_ASSERT_ARGS_IMPL ( args ) \ 

+ TBB_M0Z_C0UNT_ASSERT_ARGS_IMPL2 args 

+# define TBB_MOZ_COUNT_ASSERT_ARGS ( . . . ) \ 

+ TBB_MOZ_COUNT_ASSERT_ARGS_IMPL(( VA_ARGS , 1, 1, 0)) 

+ /* Pick the right helper macro to invoke. */ 

+# define TBB_M0Z_ASSERT_CH00SE_HELPER2(count) TBB_MOZ_ASSERT_HE LPER##count 

+# define TBB_M0Z_ASSERT_CH00SE_HELPER1 (count ) TBB_M0Z_ASSERT_CH00SE_HELPER2 ( count ) 

+# define TBB_MOZ_ASSERT_CHOOSE_HELPER ( count ) TBB_MOZ_ASSERT_CHOOSE_HE LPER1 ( count ) 

+ /* The actual macro. */ 

+# define TBB_MOZ_ASSERT_GLUE (x, y) x y 

+# define TBB_MOZ_ASSERT ( . . . ) \ 

+ TBB_MOZ_ASSERT_GLUE ( TBB_HOZ_ASSERT_CHOOSE_HE LPER ( TBB_MOZ_COUNT_ASSERT_ARGS ( 

VA_ARGS )), \ 

+ ( VA_ARGS )) 

+#else 

+# define TBB_MOZ_ASSERT ( . . . ) do { } while(0) 

+#endif /* !TOR_NASSERT */ 

+ 

+ /* 

+ * TBB_MOZ_ASSERT_IF(condl, cond2) is equivalent to TBB_M0Z_ASSERT(cond2) if condl 
is 

+ * true. 
+ * 
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+ * TBB_MOZ_ASSERT_IF(isPrime(num), num == 2 | | isOdd ( num) ) ; 

+ * 

+ * As with TBB_M0Z_ASSERT , TBB_MOZ_ASSERT_IF has effect only in debug builds. It is 
+ * designed to catch bugs during debugging, not "in the field". 

+ */ 

+#ifndef T0R_NASSERT 

+# define TBB_MOZ_ASSERT_IF ( cond , expr) \ 

+ do { \ 

+ if (cond) \ 

+ TBB_H0Z_ASSERT( expr ) ; \ 

+ } while (0) 

+#else 

+# define TBB_MOZ_ASSERT_IF ( cond , expr) do { } while (0) 

+#endif 

+ 

+ /* 

+ * TBB_MOZ_NOT_REACHED_MARKER( ) expands to an expression which states that it is 
+ * undefined behavior for execution to reach this point. No guarantees are made 
+ * about what will happen if this is reached at runtime. Most code should 
+ * probably use the higher level TBB_M0Z_N0T_REACHED , which uses this when 
+ * appropriate. 
+ */ 

+#if defined( clang ) 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) builtin_unreachable ( ) 

+#elif defined( GNUC ) 

+ /* 

+ * builtin_unreachable ( ) was implemented in gcc 4.5. If we don't have 

+ * that, call a noreturn function; abort() will do nicely. Qualify the call 
+ * in C++ in case there's another abort() visible in local scope. 
+ */ 

+# if M0Z_GCC_VERSI0N_AT_LEAST(4, 5, 0) 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) builtin_unreachable ( ) 

+# else 

+# ifdef cplusplus 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) :: abort () 

+# else 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) abortQ 

+# endif 
+# endif 

+#elif def ined (_MSC_VER) 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) assume (0) 

+#else 

+# ifdef cplusplus 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) ::abort() 
+# else 

+# define TBB_MOZ_NOT_REACHED_MARKER ( ) abortQ 

+# endif 

+#endif 

+ 

+ /* 

+ * TBB_M0Z_N0T_REACHED( reason ) indicates that the given point can't be reached 
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during execution: simply reaching that point in execution is a bug. It takes 
as an argument an error message indicating the reason why that point should 
not have been reachable. 

// ...in a language parser... 
void handle(BooleanLiteralNode node) 
{ 

if ( node . isTrue ( ) ) 

handleTrueLiteral(); 
else if ( node . isFalse ( ) ) 

handleFalseLiteral(); 
else 

TBB_MOZ_NOT_REACHED( " boolean literal that's not true or false?"); 

} 

+#if ! def ined(TOR_NASSERT) 

+# define TBB_MOZ_NOT_REACHED( reason ) \ 

+ do { \ 

+ TBB_MOZ_ASSERT (false , reason); \ 

+ TBB_MOZ_NOT_REACHED_MARKER(); \ 

+ } while (0) 

+#else 

+# define TBB_MOZ_NOT_REACHED( reason ) TBB_MOZ_NOT_REACHED_MARKER ( ) 

+#endif 

+ 

+ /* 

+ * TBB_MOZ_ALWAYS_TRUE ( expr ) and TBB_MOZ_ALWAYS_FALSE ( expr ) always evaluate the 
provided 

+ * expression j in debug builds and in release builds both. Then, in debug 
+ * builds only, the value of the expression is asserted either true or false 
+ * using TBB_MOZ_ASSERT. 
+ */ 

+#ifndef TOR_NASSERT 

+# define TBB_MOZ_ALWAYS_TRUE ( expr ) TBB_MOZ_ASSERT ( ( expr ) ) 

+# define TBB_MOZ_ALWAYS_FALSE (expr) TBB_MOZ_ASSERT( ! (expr) ) 

+#else 

+# define TBB_MOZ_ALWAYS_TRUE ( expr ) (( void ) (expr ) ) 

+# define TBB_MOZ_ALWAYS_FALSE (expr) (( void ) (expr ) ) 

+#endif 
+ 

+#endif /* mozilla_Assertions_h_ */ 

diff --git a/mf bt/DebugOnlyTor . h b/mf bt/DebugOnlyTor . h 

new file mode 100644 

index 0000000 .. 322cb85 

— /dev/null 

+++ b/mf bt/DebugOnlyTor . h 

@@ -0,0 +1,77 @(5) 

+ /* _*_ Mode: C++; tab-width: 2; indent -tabs -mode : nil; c - basic -of f set : 2 -*- */ 
+/* This Source Code Form is subject to the terms of the Mozilla Public 
+ * License, v. 2.0. If a copy of the MPL was not distributed with this 
+ * file, You can obtain one at http://mozilla.Org/MPL/2.0/. */ 
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+ 

+/* 

+ * Provides DebugOnlyTor , a type for variables used only in debug builds (i.e. by 
+ * assertions ) . 
+ */ 
+ 

+#ifndef tor_DebugOnly_h_ 
+#define tor_DebugOnly_h_ 
+ 

+namespace mozilla { 
+ 

+ * DebugOnlyTor contains a value of type T, but only in debug builds. In release 
+ * builds, it does not contain a value. This helper is intended to be used with 
+ * MOZ_ASSERT ()- style macros, allowing one to write: 
+ * 

+ * DebugOnlyTor<bool> check = func(); 
+ * MOZ_ASSERT(check); 
+ * 

+ * more concisely than declaring |check| conditional on #ifdef DEBUG, but also 
+ * without allocating storage space for |check| in release builds. 

+ * 

+ * DebugOnlyTor instances can only be coerced to T in debug builds. In release 
+ * builds they don't have a value, so type coercion is not well defined. 
+ */ 

+template<typename T> 
+class DebugOnlyTor 
+ { 

+ public: 

+#ifndef TOR_NASSERT 

+ T value; 

+ 

+ DebugOnlyTor( ) { } 

+ DebugOnlyTor ( const T& other) : value(other) { } 

+ DebugOnlyTor ( const DebugOnlyTorS other) : value(other . value) { } 
+ DebugOnlyTorS operator= ( const T& rhs) { 
+ value = rhs; 

+ return *this; 

+ } 

+ void operator++( int ) { 
+ value++; 
+ } 

+ void operator --( int ) { 
+ value--; 

+ } 
+ 

+ T* operator&() { return Rvalue; } 
+ 

+ operator T&() { return value; } 

+ operator const T&() const { return value; } 

+ 
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* DebugOnlyTor must always have a destructor or else it will 

* generate "unused variable" warnings, exactly what it's intended 

* to avoid ! 

*/ 

-DebugOnlyTor( ) {} 



+ T& operator ->( ) { return value; } 
+ 

+#else 

+ DebugOnlyTor( ) { } 
+ DebugOnlyTor(const TS) { } 
+ DebugOnlyTor ( const DebugOnlyTorS) { } 
+ DebugOnlyTor& operator= ( const TS) { return *this; } 
+ void operator++( int ) { } 
+ void operator --( int ) { } 
+#endif 
+ 

+ /* 
+ 
+ 
+ 
+ 
+ 

+ 

+} 
+ 

+#endif /* tor_DebugOnly_h_ */ 

diff --git a/mf bt/exported_headers . mk b/mf bt/exported_headers . mk 
index 6370936 .. 5582fcd 100644 

— a/mf bt/exported_headers . mk 
+++ b/mf bt/exported_headers . mk 

§@ -10,6 +10,7 @@ EXPORTS_NAHESPACES += mozilla 

EXPORTS_mozilla += \ 

Assertions. h \ 
+ AssertionsTor . h \ 

Atomics. h \ 

Attributes. h \ 

BloomFilter . h \ 
@@ -19,6 +20,7 @@ EXPORTS_mozilla += \ 

Compiler. h \ 

Constants. h \ 

DebugOnly.h \ 
+ DebugOnlyTor . h \ 

decimal/Decimal . h \ 

Endian.h \ 

EnumSet.h \ 

diff --git a/xpcom/base/nsAutoPtr . h b/xpcom/base/nsAutoPtr . h 
index e33eaeb . . 009ef 8b 100644 

— a/xpcom/base/nsAutoPtr . h 
+++ b/xpcom/base/nsAutoPtr . h 

@(5) -994,7 +994,7 §§ class nsRefPtr 

// parameters where rhs bay be a T** or an I** where I is a base class 
// Of T. 

{ 

NS_ASSERTION(rhs, "Null pointer passed to forget!"); 
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+ TBB_NS_ASSERTION(rhs, "Null pointer passed to forget!"); 

*rhs = mRawPtr; 
mRawPtr = 0; 

} 

diff --git a/xpcom/glue/nsDebugTor . h b/xpcom/glue/nsDebugTor . h 
index 343e84e . . 55b6f c6 100644 
— a/xpcom/glue/nsDebugTor . h 
+++ b/xpcom/glue/nsDebugTor . h 
§§ -15 ,7 +15,7 @@ 
#endif 

#include "nsXPCOM.h" 
-#include "mozilla/Assertions.h" 
+# include " mo zilla/ Assert ions To r.h" 

#include "mozilla/ Likely . h" 

#ifndef TORJMASSERT 
§§ -349,7 +349,7 @@ 

#define TBB_NS_CheckThreadSaf e ( owningThread , msg) 
#else 

#define TBB_NS_CheckThreadSaf e (owningThread , msg) \ 
MOZ_ASSERT(owningThread == PR_GetCurrentThread ( ) , msg) 
+ TBB_MOZ_ASSERT(owningThread == PR_GetCurrentThread ( ) , msg) 
#endif 

/* When compiling the XPCOM Glue on Windows, we pretend that it's going to 



Listing 8: Sample Patch For Enabling Assertions In The JavaScript Engine 
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F Memory Allocator Replacement Patches 



F.l Replacement Sample 



From da3fl399f cc9bbf 8e0b66e9a3c649c58c0e46221 Mon Sep 17 00:00:00 2001 

From: Tom Ritter <tom(5)ritter . vg> 

Date: Wed, 21 May 2014 18:18:04 +0000 

Subject: [PATCH] Sample Malloc - Replacing Library 



.mozconfig | 1 + 

memory / replace/moz . build | 1 + 

memory /replace/ realloc/Makef ile . in | 20 
memory / replace/ realloc/moz . build | 13 
memory/replace/realloc/realloc . c [ 32 
5 files changed, 67 insertions (+) 

create mode 100644 memory/ replace/realloc/Makef ile . in 
create mode 100644 memory/replace/realloc/moz . build 
create mode 100644 memory/replace/realloc/realloc . c 



diff --git a/. mozconfig b/. mozconfig 
index e9a9432 . . b957ebe 100755 
— a/. mozconfig 
+++ b/. mozconfig 

@@ -6,6 +6,7 @@ mk_add_options MOZ_MAKE_F LAGS = " - j4" 
mk_add_options M0ZILLA_0FFICIAL=1 
mk_add_options BUI LD_0FFICIAL=1 



+ac_add_options --enable -replace -malloc 

ac_add_options -- enable - optimize 

#ac_add_options --disable -optimize 

ac_add_options --enable- of ficial - branding 
diff --git a/memory/replace/moz . build b/memory /replace/moz . build 
index cb00e57 . . d378dce 100644 

— a/memory /replace/moz . build 
+++ b/memory /replace/moz . build 
@@ -7,3 +7,4 (3(5) 

# Build jemalloc3 as a replace -malloc lib when building with mozjemalloc 
if not CONFIG [ ' MOZ_DEMALLOC ' ] : 
DIRS += [ ' jemalloc ' ] 
+DIRS += [ ' realloc ' ] 

diff --git a/memory/replace/ realloc/Makef ile . in b/memory/replace/realloc/Makef ile . in 
new file mode 100644 
index 0000000 .. 0893297 

— /dev/null 

+++ b/memo ry/ replace/ realloc/Makefile. in 
@@ -8,0 +1,20 @(a> 

+# This Source Code Form is subject to the terms of the Mozilla Public 
+# License, v. 2.0. If a copy of the MPL was not distributed with this 
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+# file, You can obtain one at http://mozilla.Org/MPL/2.0/. 
+ 

+DEPTH = @DEPTH@ 

+topsrcdir = @top_srcdir(5) 

+srcdir = @srcdir(5) 

+VPATH = @srcdir(5) 

+ 

+include $( DEPTH )/config/autoconf.mk 
+ 

+FORCE_SHARED_LIB = 1 
+NO_DIST_INSTALL = 1 
+ 

+VPATH += $(topsrcdir)/memory/build 
+ 

+MOZ_GLUE_LDF LAGS = # Don't link against mozglue 

+WRAP_LDFLAGS = # Never wrap malloc function calls with -Wl,--wrap 
+ 

+include $(topsrcdir)/config/ rules. mk 

diff --git a/memory/replace/realloc/moz . build b/memory/replace/realloc/moz . build 
new file mode 100644 
index 0000000 .. 7f48c22 

— /dev/null 

+++ b/memory/replace/realloc/moz. build 
@@ -0,0 +1,13 @(5> 

+# -*- Mode: python; c - basic -of f set : 4; indent -tabs -mode : nil; tab-width: 40 -*- 
+# vim: set f iletype=python : 

+# This Source Code Form is subject to the terms of the Mozilla Public 
+# License, v. 2.0. If a copy of the MPL was not distributed with this 
+# file, You can obtain one at http://mozilla.Org/MPL/2.0/. 
+ 

+MODULE = 'memory' 
+ 

+LIBRARY_NAME = ' replace_realloc ' 
+ 

+CSRCS += [ 

+ ' realloc . c ' , 

+ ] 

diff --git a/memory/replace/realloc/realloc . c b/memory/replace/realloc/realloc . c 
new file mode 100644 
index 0000000 .. fd4e2b5 

— /dev/null 

+++ b/memory/replace/realloc/realloc.c 
@@ -0,0 +1,32 @(5) 

+// This header will declare all the replacement functions, such that you don't need 

+// to worry about exporting them with the right idiom (dllexport, visibility...) 

+#include " replace_malloc . h" 

+#include <stdlib.h> 

+#include <stdio.h> 

+ 

+static const malloc_table_t *funcs = NULL; 
+static unsigned int total = 0, copies = 0; 
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+ 

+void replace_jemalloc_stats ( jemalloc_stats_t *stats) 
+ { 

+ printf("%d reallocs, %d copies\n", total, copies); 
+ funcs - >jemalloc_stats ( stats ) ; 

+ } 
+ 

+void 

+replace_init ( const malloc_table_t *table) 
+ { 

+ funcs = table; 

+ printf("In init!\n"); 

+ } 
+ 

+void *replace_realloc ( void *ptr, size_t size) 
+ { 

+ void *newptr = funcs - >realloc ( ptr, size); 

+ // Not thread-safe, but it's only an example. 

+ total++; 

+ // We don't want to count deallocations as copies. 
+ if (newptr && newptr != ptr) 
+ copies++; 
+ return newptr; 
+ } 

1.7.9.5 



Listing 9: Sample Patch For Memory Allocator Replacement Library 
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F.2 CTMalloc Replacement Library 

Note: This does not include the following files from http://src.chromium.org/blink/trunk/Source/ 
wtf/. Some of these files were edited to prevent errors due to the use of undefined macros such as 
ENABLE. 

• AddressSpaceRandomization.cpp 

• AddressSpaceRandomization.h 

• Assertions.h 

• Atomics.h 

• BitwiseOperations.h 

• ByteSwap.h 

• CPU.h 

• Compiler.h 

• Makefile. in 



#include " replace_malloc . h " 
#include <stdlib.h> 
ttinclude <stdio.h> 

ttinclude "config.h" 
#include "wtf /PartitionAlloc . h" 
#include <string.h> 

static const malloc_table_t *funcs = NULL; 

static unsigned int mallocs = 0, frees = 0, reallocs = 0, callocs = 0; 

static PartitionAllocatorGeneric partition; 
static bool initialized; 

extern "C" { 

void replace_init ( const malloc_table_t *table) 
{ 

funcs = table; 
printf("In init!\n"); 

} 

void replace_jemalloc_stats ( jemalloc_stats_t *stats) 
{ 

printf("%d mallocs, %d frees, %d reallocs, %d callocs\n", mallocs, frees, reallocs, 
callocs ) ; 

} 

void* replace_malloc ( size_t size) 
{ 



• PageAllocator.cpp 

• PageAllocator.h 

• PartitionAlloc. cpp 

• PartitionAlloc. h 

• ProcessID.h 

• SpinLock.h 

• WTFExport.h 

• config.h 
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mallocs++; 

if (UNLIKELY( ! initialized) ) { 
initialized = true; 
partition . init ( ) ; 

} 

return partitionAllocGeneric ( partition . root () , size); 

} 

void replace_f ree( void* ptr) 
{ 

//I beLieve this was a Chrome -onLy quirk. Going to attempt removing it 
//if (reinterpret_cast<uintptr_t >(ptr) >= 0x500000000000) 
// return f uncs -> free (ptr ) ; 
f rees++; 

pa rtitionFreeGeneric (partition. root ( ) , ptr ) ; 

} 

void* replace_realloc ( void* ptr, size_t size) 
{ 

reallocs++; 

if (UNLIKELY( ! initialized) ) { 
initialized = true; 
partition . init ( ) ; 

} 

if (UNLIKELY( ! ptr) ) { 

return partitionAllocGeneric (partition . root( ) , size); 

} 

//I beLieve this was a Chrome -onLy quirk. Going to attempt removing it 
//if (reinterpret_cast<uintptr_t>(ptr) >= 0x500000000000) 
// return f uncs ->reaLLoc (ptr , size); 
if (UNLIKELY(lsize)) { 

partitionFreeGeneric(partition.root(), ptr); 

return 0; 

} 

return partitionReallocGeneric ( partition . root () , ptr, size); 

} 

void* replace_calloc ( size_t nmemb, size_t size) 
{ 

void* ret; 

size_t real_size = nmemb * size; 
if (UNLIKELY( ! initialized) ) { 

initialized = true; 

partition . init ( ) ; 

} 

callocs++; 

RELEASE_ASSERT( ! nmemb || real_size / nmemb == size); 
ret = partitionAllocGeneric ( partition . root () , real_size); 
memset ( ret , ' \0 ' , real_size); 
return ret; 
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void *replace_valloc ( size_t size) 
{ 

printf ( "AH ! ! ! ! valloc.\n"); 
return NULL; 

} 

void *replace_memalign ( size_t alignment, size_t size) 
{ 

size_t remainder = size % alignment; 
return replace_malloc ( size + remainder); 

} 

void * replace_aligned_alloc ( size_t alignment, size_t size) 
{ 

printf ("AH! ! ! aligned_alloc\n " ) ; 
return NULL; 

} 

int replace_posix_memalign ( void **ptr, size_t alignment, size_t size) 
{ 

size_t remainder = size % alignment; 
*ptr = replace_malloc ( size + remainder); 
if(*ptr == NULL) 

return -1; 
return 0; 

} 

size_t replace_malloc_usable_size ( usable_ptr_t ptr) 
{ 

size_t s = partitionAllocGetSize(ptr) ; 

return s; 

} 

size_t replace_malloc_good_size ( size_t size) 
{ 

return size; 

} 

void replace_jemalloc_purge_f reed_pages ( ) 

{ 

} 

void replace_jemalloc_f ree_dirty_pages ( ) 

{ 

} 



} 



Listing 10: Working Progress of ctmalloc replacement library 
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# -*- Mode: python; c-basic -off set : 4; indent -tabs -mode : nil; tab-width: 40 -*- 

# vim: set f iletype=python : 

# This Source Code Form is subject to the terms of the Mozilla Public 

# License, v. 2.0. If a copy of the MPL was not distributed with this 

# file, You can obtain one at http://moziLLa.Org/MPL/2.0/. 

MODULE = 'memory' 

LIBRARY_NAME = ' replace_ctalloc ' 

CPP_SOURCES += [ 
' malloc . cpp ' , 
' PartitionAlloc . cpp ' , 
'PageAllocator.cpp', 
'AddressSpaceRandomization.cpp', 
] 

Listing 11: Build File for ctmalloc library 
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G JavaScript Preference Options 



The following code snippet indicates that when the browser is in "Safe Mode", several of these features 
are disabled regardless of preference. Safe Mode is determined if the environment variable MOZ_SAF E_- 
MODE_RESTART is set, if the command line argument -safe-mode is supplied, or if the Shift or Option 
key is held on startup - more commonly it is entered when the user chooses to 'Restart with Add-Ons 
Disabled'. 



static 


const 


char 


js. 


_werror_option_str [ ] = 


DS_OPTIONS_DOT_STR 


"werror"; 


#ifdef 


JS_GC_ 


ZEAL 














static 


const 


char 


js. 


_zeal_option_str [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


"gczeal"; 


static 


const 


char 


js. 


_zeal_f requency_str [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


"gczeal. frequency"; 


#endif 


















static 


const 


char 


js. 


_typeinf er_str [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


"typeinf erence" ; 


static 


const 


char 


js. 


_pc count s_cont ent_st r [ ] 


= 3S_0PTI0NS 


_DOT_ 


STR 


"pccounts. content"; 


static 


const 


char 


js. 


_pc count s_c h rome_st r [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


"pccounts. chrome"; 


static 


const 


char 


js. 


_jit_hardening_str [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


" jit_hardening" ; 


static 


const 


char 


js. 


_memlog_option_str [ ] 


= DS_OPTIONS 


_DOT_ 


STR 


"mem . log" ; 


static 


const 


char 


js. 


_memnotif y_option_str [ ] 


= 3S_0PTI0NS 


_DOT_ 


STR 


"mem . notify" ; 


static 


const 


char 


js. 


_disable_explicit_compartment_gc [ ] = 








DS_OPTIONS_ 


_DOT_STR 


"mem . disable_explicit_ 


compartment_g 


c" ; 






static 


const 


char 


js. 


_asm j s_content_str [ ] 


= JS_OPTIONS 


_DOT_ 


STR 


"asm j s " ; 



static const char j s_baseline j it_content_str [ ] = DS_OPTIONS_DOT_STR " baseline j it . 
content " ; 

static const char j s_baseline j it_chrome_str [ ] = DS_0PTI0NS_DOT_STR " baseline j it . 
chrome"; 

static const char j s_baselinej it_eager_st r [ ] = 3S_0PTI0NS_D0T_STR "baselinejit . 

unsaf e_eager_compilation " ; 
static const char j s_ion_content_st r [ ] = JS_OPTIONS_DOT_STR " ion . content " ; 

static const char j s_ion_eager_str [ ] = JS_OPTIONS_DOT_STR "ion. 

unsaf e_eager_compilat ion " ; 
static const char j s_ion_parallel_compilation_st r [ ] = 3S_0PTI0NS_D0T_STR "ion. 

parallel_compilation " ; 

int 

nsDSContext : : DSOptionChangedCallback(const char *pref, void *data) 
{ 

//. . • 

bool usePCCounts = Preferences :: GetBool ( chromeWindow || ! contentWindow ? 

j s_pccounts_chrome_str : 
j s_pccounts_content_str ) ; 

bool useTypelnf erence = ! chromeWindow && contentWindow && 
Preferences: : GetBool ( j s_typeinf er_str ) ; 

bool useHardening = Preferences :: GetBool ( j s_jit_hardening_str ) ; 

bool useBaselineDIT = Preferences :: GetBool ( chromeWindow || ! contentWindow ? 



js_baseline jit_chrome_str : 
js_baseline j it_content_str ) ; 



bool 



bool 



bool 



useBaselineJ ITEager = Preferences: : GetBool ( j s_baseline jit_eager_str ) 
uselon = Preferences :: GetBool( js_ion_content_str) ; 
uselonEager = Preferences :: GetBool ( j s_ion_eager_str ) ; 
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bool useAsmJS = Preferences :: GetBool ( j s_asmj s_content_str ) ; 

bool pa r a lie llonCompilat ion = Preferences : :GetBool(j s_ion_parallel_compilation_st r ) ; 
nsCOMPtr<nsIXULRuntlme> xr = do_Get Service (XULRUNTIME_SERVICE_CONTRACTID ) ; 
if (xr) { 

bool safeMode = false; 

xr - >GetInSaf eMode (Ssaf eMode ) ; 

if (safeMode) { 

usePCCounts = false; // javascript . options . pccounts . content or .chrome 
useTypelnf erence = false; // javascript . options . typeinference 
useHardening = false; //javascript . options . jit_hardening 

useBaselineDIT = false; //javascript . options . baseLine jit . content or .chrome 
useBaselineJ ITEager = false; //javascript . options . baseLine jit . 

unsafe_eager_compiLation 
uselon = false; // javascript . options . ion . content 

uselonEager = false; // javascript . options . ion . unsafe_eager_compiLation 
useAsmJS = false; //javascript . options . asmj s 

} 



Listing 12: dom/base/nsJSEnvironment.cpp 



javascript. options. ion. content 

This setting will disable Ion, the newer JIT engine. The main entry point for the Ion engine is a branch 
injs: :RunScriptin Interpreter, cpp. iSEC identified a number of bugs in the Ion JIT engine, as shown 
in section 3.1 on page 10. 

javascript. options. baselinejit.content 

This setting disables the Baseline Compiler. 56 Disabling this will also disable Ion: 

static inline bool 
IsIonEnabled ( JSContext *cx) 
{ 

return cx- >has0ption ( DS0PTI0N_I0N ) && 
cx->has0pt ion ( DS0PTI0N_BASE LINE) && 
cx->typeInferenceEnabled(); 

} 

Listing 13: js/src/jit/Ion.h 

But if you disable Ion and leave this enabled, you will hit certain code paths that include parallel script 
execution (js : : ParallelDo), a branch in the js : : RunScript function, and a few other small areas. 
From what iSEC can tell, it does not make sense to leave this enabled if Ion is disabled. 

56 https : //blog.mozilla .org/ j a vase ript/2013/04/65/t he- baseline- compiler- has- landed/ 
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javascript, options, typeinference 

Note: The actual preference appears to be javascript. options.typeinference - and does not include a 
'.content' at the end. 

As with the prior setting, disabling this setting will also disable Ion. But if you disable Ion and leave this 
enabled, it appears you will hit code paths in the JSScript, JSFunction, JSObject, TypeCompartment, 
and types classes, mostly contained in jsinfer.cpp. 

iSEC search for bugs that may be related directly to Type Inference, and found several (799803, 822858, 
785576, 781855, 811616, 820186, 807047, and 831055), implying that disabling this feature may in fact 
eliminate some exploitable code paths. 
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